1 / 70

NTFS MFT Example

NTFS MFT Example. COEN 152 / 252. MFT Table Entry. MFT Table Entry. Magic marker: FILE. MFT Table Entry. Update Sequence Offset: 0x 00 30 Three entries in update sequence. MFT Table Entry. Sequence number is 0x 00 08. MFT Table Entry. Link count is 00 01 (one). MFT Table Entry.

duke
Download Presentation

NTFS MFT Example

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NTFS MFT Example COEN 152 / 252

  2. MFT Table Entry

  3. MFT Table Entry Magic marker: FILE

  4. MFT Table Entry Update Sequence Offset: 0x 00 30 Three entries in update sequence

  5. MFT Table Entry Sequence number is 0x 00 08

  6. MFT Table Entry Link count is 00 01 (one)

  7. MFT Table Entry First attribute is located at offset 0x 00 38

  8. MFT Table Entry Flags are 0x 01 00 Record in use

  9. MFT Table Entry Used size of MFT entry: 0x 00 00 01 68 = 360

  10. MFT Table Entry Allocated size of MFT entry: 0x 00 00 04 00 = 102410

  11. MFT Table Entry File Reference 0

  12. MFT Table Entry Next attribute ID 0004

  13. MFT Table Entry MFT Record Number 00 02 3C E0

  14. MFT Table Entry Attribute Type: 00 00 00 10 Standard

  15. MFT Table Entry Attribute Length: 00 00 00 60

  16. MFT Table Entry Non-resident flag: resident

  17. MFT Table Entry Length of name: 0

  18. MFT Table Entry Offset to name: 0

  19. MFT Table Entry Flags: 0

  20. MFT Table Entry Attribute Identifier: 0

  21. MFT Table Entry Size of Content: 0x 48 = 72

  22. MFT Table Entry Offset to Content: 0x 18 = 24

  23. MFT Table Entry Standard Information Content: File Creation Time 4029AF606C50C701

  24. MFT Table Entry Standard Information Content: File Alternation Time 0046B5606C50C701 2/14/2007, 19:14:41 UTC

  25. MFT Table Entry Standard Information Content: MFT Change Time 90CE7E856C50C701 2/14/2007, 19:15:42 UTC

  26. MFT Table Entry Standard Information Content: File Read Time 0046B5606C50C701 2/14/2007, 19:14:41 UTC

  27. MFT Table Entry DOS Permissions 00 00 00 20

  28. MFT Table Entry Maximum Number of Versions 00 00 00 00

  29. MFT Table Entry Version Number 00 00 00 00

  30. MFT Table Entry Class ID 00 00 00 00

  31. MFT Table Entry Owner ID 00 00 00 00

  32. MFT Table Entry Security ID 00 00 03 0F

  33. MFT Table Entry Quota Charged 00 00 03 0F

  34. MFT Table Entry Update Sequence Number 00 00 00 02 60 E3 93 E8

  35. MFT Table Entry Attribute Type Identifier 30: $FILENAME

  36. MFT Table Entry Length of Attribute: 0x 70

  37. MFT Table Entry Resident:

  38. MFT Table Entry No Name

  39. MFT Table Entry No Name

  40. MFT Table Entry No Flages

  41. MFT Table Entry Attribute identifier 2

  42. MFT Table Entry Size of Content: 0x 52

  43. MFT Table Entry Offset to Content: 0x 18 This gives us the structure of the attribute

  44. MFT Table Entry File Reference to parent directory: 00 3A 00 00 00 02 B8 E4

  45. MFT Table Entry File creation time: 4029AF606c50C701 2/14/2007 19:14:41 UTC

  46. MFT Table Entry File modification time: 0046B5606c50C701 2/14/2007 19:14:41 UTC

  47. MFT Table Entry File access time: 0046B5606c50C701 2/14/2007 19:14:41 UTC

  48. MFT Table Entry MFT modification time: 0046B5606c50C701 2/14/2007 19:14:41 UTC

  49. MFT Table Entry Allocated Size of File

  50. MFT Table Entry Real Size of File

More Related