It tells us the type of attribute we have. The first part of our attribute is actually called an attribute header. We talked about our object ID attribute, and now we have our data attribute. We have our filename attribute, hexadecimal 30. We have our standard information attribute, and we parse that in the last module. Now we can see our attributes within the file record. We see it says file, so we know we're looking at MFT file record. We looked at this file record before, we noticed the header. Scroll down and let's take a look at this resident.txt first. If we multiply 8 times 512, we get 4,096 bytes in a cluster. Let's take a quick look in the volume boot record at our sectors per cluster, which is eight in our bytes per sector, which are 512. Again we're going to be brought to the volume boot record. We're going to select "Volumes", and then we're going to select our NTFS volume then we're going to click "Open". Let's go ahead and start Active Disk Editor. As before, make sure you know the disk number, the volume that we're going to be working with is the second volume in on the drive, the first NTFS volume on my computer it's B on yours it may be different, and the size is 200 megabytes, and the volume label is NTFS. Then click "Okay" and our VHD will mount. Attach VHD, navigate out to where our NTFS.vhd stored. The first thing we're going to need to do for our walk-through is attach our VHD. The items we're going to need for this walk-through, we're going to need active disk editor, we're going to need our NTFS VHD, and we're going to need a Windows calculator, or any type of calculator will work just fine. We're going to go ahead and take a look at this in Active Disk Editor. That represents the next two bytes in our data run, and that tells us the starting cluster. The left nibble is two so we know we need two bytes. The right nibble represents the size the first byte in the data run. The 8B and the 05 tell us the starting cluster. The one, the right nibble represents the size, how many clusters? The left nibble represents what's called the starting extent or the starting cluster. The two and the one, we add 2 plus 1, we get 3. We have our run list header split into two nibbles. Here, we have a visual of what I was talking about. Then when you get to all zeros, you're at the end of your data run. The starting cluster is going to be over here, and it's going to be 8B, 05, but it will be read little-endian so it'd be 05, 8B. The decimal, the nibble 2, the far left nibble represents the starting cluster. This is the length in clusters of our data run. The first right here, the one, our left nibble represents this number one right here represents hexadecimal 55. That tells us our data run is three bytes long. If we add two and one, we come up with three. We interpret that by splitting it into two nibbles and then adding it together to get the total number of bytes in our data run. The first byte in the data run is what's called a run header. We're going to take a very good look at the data run itself. We count four lines down, 1, 2, 3, 4, and this takes us to our data run. That tells us that our data run, or where we can find the location for the data out on the drive is going to be four lines down from the start of the attribute. We can see right here, we go down two lines and we can see that this offset, we have a hexadecimal 40. Next, we need to find the offset to the data from the start of the attribute. This indicates to us that this is a non-resident data attribute and that the data for this file is located not within the MFT record itself, but somewhere out on the drive. When we get to the non-resident flag, we see that that flag is up. You're going to have the length of the attribute. Now, for a non-resident data attribute, you're going to have the same thing in the header. This is how we would read a resident data attributes within a file record entry. We can see this is an example of a resident data attribute written in the ASCII. We go down one line and over eight bytes and that would take us to the start of our data. We can see the offset to the data from the start of the attribute and that would be 18. Then we can move over to hexadecimal 1C over here. It's technically called the non-resident flag and we can see here is 00 so the flag is not flying so this would be a resident data attribute. Next, we see the resident, non-resident flag. Hexadecimal 48 is the number of bytes in the attribute. Right after that, we see the length of the attribute. We talked that hexadecimal 80 is a data attribute. In our last module, we took a look at the data attribute in a file record. In this module, we're going to be talking about data runs. We're talking about the NTFS file system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |