Presentation is loading. Please wait.

Presentation is loading. Please wait.

NTFS MFT Example COEN 152 / 252. MFT Table Entry.

Published byJunior McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "NTFS MFT Example COEN 152 / 252. MFT Table Entry."— Presentation transcript:

1 NTFS MFT Example COEN 152 / 252

2 MFT Table Entry

3 Magic marker: FILE

4 MFT Table Entry Update Sequence Offset: 0x 00 30 Three entries in update sequence

5 MFT Table Entry Sequence number is 0x 00 08

6 MFT Table Entry Link count is 00 01 (one)

7 MFT Table Entry First attribute is located at offset 0x 00 38

8 MFT Table Entry Flags are 0x 01 00 Record in use

9 MFT Table Entry Used size of MFT entry: 0x 00 00 01 68 = 360

10 MFT Table Entry Allocated size of MFT entry: 0x 00 00 04 00 = 1024 10

11 MFT Table Entry File Reference 0

12 MFT Table Entry Next attribute ID 0004

13 MFT Table Entry MFT Record Number 00 02 3C E0

14 MFT Table Entry Attribute Type: 00 00 00 10 Standard

15 MFT Table Entry Attribute Length: 00 00 00 60

16 MFT Table Entry Non-resident flag: resident

17 MFT Table Entry Length of name: 0

18 MFT Table Entry Offset to name: 0

19 MFT Table Entry Flags: 0

20 MFT Table Entry Attribute Identifier: 0

21 MFT Table Entry Size of Content: 0x 48 = 72

22 MFT Table Entry Offset to Content: 0x 18 = 24

23 MFT Table Entry Standard Information Content: File Creation Time 4029AF606C50C701

24 MFT Table Entry Standard Information Content: File Alternation Time 0046B5606C50C701 2/14/2007, 19:14:41 UTC

25 MFT Table Entry Standard Information Content: MFT Change Time 90CE7E856C50C701 2/14/2007, 19:15:42 UTC

26 MFT Table Entry Standard Information Content: File Read Time 0046B5606C50C701 2/14/2007, 19:14:41 UTC

27 MFT Table Entry DOS Permissions 00 00 00 20

28 MFT Table Entry Maximum Number of Versions 00 00

29 MFT Table Entry Version Number 00 00

30 MFT Table Entry Class ID 00 00

31 MFT Table Entry Owner ID 00 00

32 MFT Table Entry Security ID 00 00 03 0F

33 MFT Table Entry Quota Charged 00 00 03 0F

34 MFT Table Entry Update Sequence Number 00 00 00 02 60 E3 93 E8

35 MFT Table Entry Attribute Type Identifier 30: $FILENAME

36 MFT Table Entry Length of Attribute: 0x 70

37 MFT Table Entry Resident:

38 MFT Table Entry No Name

39 MFT Table Entry No Name

40 MFT Table Entry No Flages

41 MFT Table Entry Attribute identifier 2

42 MFT Table Entry Size of Content: 0x 52

43 MFT Table Entry Offset to Content: 0x 18 This gives us the structure of the attribute

44 MFT Table Entry File Reference to parent directory: 00 3A 00 00 00 02 B8 E4

45 MFT Table Entry File creation time: 4029AF606c50C701 2/14/2007 19:14:41 UTC

46 MFT Table Entry File modification time: 0046B5606c50C701 2/14/2007 19:14:41 UTC

47 MFT Table Entry File access time: 0046B5606c50C701 2/14/2007 19:14:41 UTC

48 MFT Table Entry MFT modification time: 0046B5606c50C701 2/14/2007 19:14:41 UTC

49 MFT Table Entry Allocated Size of File

50 MFT Table Entry Real Size of File

51 MFT Table Entry Flags

52 MFT Table Entry Security ID

53 MFT Table Entry Filename length in Unicode Characters: 8

54 MFT Table Entry Filename namespace

55 MFT Table Entry File name / extension in unicode: test.txt

56 MFT Table Entry Attribute Type: Object_ID

57 MFT Table Entry Length of Attribute: 0x28

58 MFT Table Entry Length of Attribute: 0x28

59 MFT Table Entry B0: Resident B1-4: No Name B 5-6: Attribute ID: 3

60 MFT Table Entry Size of content: 0x10 Offset to content 0x18 Check: Length of attribute is 0x28

61 MFT Table Entry Object ID:

62 MFT Table Entry Object ID:

63 MFT Table Entry Attribute Type: $DATA

64 MFT Table Entry Attribute Length: 0x30

65 MFT Table Entry Resident

66 MFT Table Entry No name

67 MFT Table Entry Size of contents: 0x17

68 MFT Table Entry Offset to contents: 0x18

69 MFT Table Entry Contents

70 MFT Table Entry End of Entry

Download ppt "NTFS MFT Example COEN 152 / 252. MFT Table Entry."

Similar presentations

Chapter 6 File Systems 6.1 Files 6.2 Directories

Chapter 6 File Systems 6.1 Files 6.2 Directories
NTFS - The workhorse file system for the Windows Platform

NTFS - The workhorse file system for the Windows Platform
COMP091 – Operating Systems 1

COMP091 – Operating Systems 1
Chapter 4 : File Systems What is a file system?

Chapter 4 : File Systems What is a file system?
MFT Analysis http://www.integriography.com/ http://windowsir.blogspot.com/2010/02/mft-analysis.html.

MFT Analysis
CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011

CSN11121/CSN11122 System Administration and Forensics File System 28/10/2011
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
File Systems Examples.

File Systems Examples.
The Unix File System. What are the three parts of every file on a Unix filesystem? And where is each stored? Filename - stored in directories Inode -

The Unix File System. What are the three parts of every file on a Unix filesystem? And where is each stored? Filename - stored in directories Inode -
© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.

© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
Chapter 10: File-System Interface

Chapter 10: File-System Interface
1 EXT4NTFS 6FAT32 Allocation method IndexedIndexed, by “runs”Linked File representation i-node (default size 256KB) MFT record (default size 1Kb) Chain.

1 EXT4NTFS 6FAT32 Allocation method IndexedIndexed, by “runs”Linked File representation i-node (default size 256KB) MFT record (default size 1Kb) Chain.
Operating Systems File Systems CNS 3060.

Operating Systems File Systems CNS 3060.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
File Systems Topics –File –Directory –File System Implementation Reference: Chapter 5: File Systems Operating Systems Design and Implementation (Second.

File Systems Topics –File –Directory –File System Implementation Reference: Chapter 5: File Systems Operating Systems Design and Implementation (Second.
6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.

6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.

1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Similar presentations

Ads by Google