±Your Account
Membership:
New Today: 0
New Yesterday: 7
Overall: 24203
Visitors: 30±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
NTFS MFT data run decoding problem
NTFS MFT data run decoding problem
Posted: Thu Feb 14, 2013 8:20 am
Hi all,
Hopefully this is the right place to post this.
I'm having a bit of a nightmare trying to calculate some data runs present within an NTFS MFT entry, to be more specific, inside of the index allocation attribute.
The data runs taken from the attribute are:
I've written some code to decode them, but for some reason the final value being returned is completely wrong, and doesn't point to an INDX file, like the rest do.
I'm not sure if this is a problem with my decoder, or if that piece of the run is actually telling me something different.
If anyone can help decode these runs, or help shine a bit of light on what might be going wrong, I'd appreciate it.
Thanks
The values that I've gotten from decoding the runs are:
Hopefully this is the right place to post this.
I'm having a bit of a nightmare trying to calculate some data runs present within an NTFS MFT entry, to be more specific, inside of the index allocation attribute.
The data runs taken from the attribute are:
I've written some code to decode them, but for some reason the final value being returned is completely wrong, and doesn't point to an INDX file, like the rest do.
I'm not sure if this is a problem with my decoder, or if that piece of the run is actually telling me something different.
If anyone can help decode these runs, or help shine a bit of light on what might be going wrong, I'd appreciate it.
Thanks
The values that I've gotten from decoding the runs are:
-
mrthaggar - Newbie
Re: NTFS MFT data run decoding problem
Posted: Thu Feb 14, 2013 9:54 am
Can you try joakim's thingy here?:
www.forensicfocus.com/...ic/t=8010/
code.google.com/p/mft2csv/
maybe it gives the results you are looking for.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
www.forensicfocus.com/...ic/t=8010/
code.google.com/p/mft2csv/
maybe it gives the results you are looking for.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: NTFS MFT data run decoding problem
Posted: Thu Feb 14, 2013 10:18 am
1 - THINK in HEX. It is much easier
2 - The frst offfset is 0xbeeef
3 - Multiply this by sectors per cluster (usually 0x8)
4 - Add in the start of of the partition, eg 0x3f, 0x800
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/
2 - The frst offfset is 0xbeeef
3 - Multiply this by sectors per cluster (usually 0x8)
4 - Add in the start of of the partition, eg 0x3f, 0x800
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/
-
mscotgrove - Senior Member
Re: NTFS MFT data run decoding problem
Posted: Thu Feb 14, 2013 10:20 am
The normal cockup(tm) here is not to apply the fixup values first, have you done that?
Also it would be useful to provide a screenshot of the complete MFT record, with the bytes that you think are relevant highlighted, so that we can see that you are actually pointing at the start of the data runs.
_________________
Paul Sanderson
Reconnoitre, VSC processing made easy - www.sandersonforensics...oitre.html
www.twitter.com/sandersonforens
Also it would be useful to provide a screenshot of the complete MFT record, with the bytes that you think are relevant highlighted, so that we can see that you are actually pointing at the start of the data runs.
_________________
Paul Sanderson
Reconnoitre, VSC processing made easy - www.sandersonforensics...oitre.html
www.twitter.com/sandersonforens
-
PaulSanderson - Senior Member
Re: NTFS MFT data run decoding problem
Posted: Thu Feb 14, 2013 10:50 am
Thanks for the input guys.
I've just this second realised that part of of the data run is within the last two bytes of the sector, therefore I've not looked into the fixup array to get the true values.
I'll go do that now and let you know how I get on!
Thanks Paul for pointing out the error (cockup)
I've just this second realised that part of of the data run is within the last two bytes of the sector, therefore I've not looked into the fixup array to get the true values.
I'll go do that now and let you know how I get on!
Thanks Paul for pointing out the error (cockup)
-
mrthaggar - Newbie