Help needed decodin...
 
Notifications
Clear all

Help needed decoding MFT data runs

6 Posts
4 Users
0 Likes
251 Views
(@kolad)
Posts: 2
New Member
Topic starter
 

Hello guys,

I've been banging my head for some time now trying to figure out how to decode the following data run taken from an $INDEX_ALLOCATION attribute in an attempt to grab all INDX records associated with a directory and more precisely the offsets.

31 01 1F DF 33 11 01 01 11 01 01 11 01 01 11 01 01 11 01 01 11 01 01 11 01 01 11 02 01 11 02 02 11 04 02 11 04 04 11 04 04 11 08 04 11 08 E3 02 08 08 11 10 08 11 10 10 11 10 10 11 20 10 11 20 20 00
To my humble understanding, the runs will be separated like
1run header 31 size01 offset 3399455 (0x33DF1F)
2run header 11 size 01 offset 3399456 (3399455+1)

14run header 11 size 08 offset 3399479
15run header 11 size 08 offset 3399450 (3399479 - 29 since 0xE3 = -29)
16run header 02 size 2056 offset 0 (sparse)
17run header 11 size 16 (0x10) offset 3399458

21run header 11 size 32(0x20) offset 3399538
22run header 00 - end

What I can't understand is how is it possible to have a data run with a negative offset that leads me right in the middle of the previous datarun?. That way I'm parsing records twice. Am I decoding it the wrong way? Please help

 
Posted : 08/10/2015 9:31 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Wild guess 😯 , mind you, but maybe you didn't consider the fixup values? ?
http//www.forensicfocus.com/Forums/viewtopic/t=10258/
http//0cch.net/ntfsdoc/concepts/fixup.html

jaclaz

 
Posted : 08/10/2015 11:00 pm
(@kolad)
Posts: 2
New Member
Topic starter
 

That was exactly it. Thank you so much jaclaz!!!

 
Posted : 09/10/2015 4:45 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

Think in HEX, not decimal. It is actually much simpler for this type of calculation.

For instance, the first byte is actually two nibbles 0x31 is a 0x3 and 0x1 If you were to treat this as a decimal number, it would make little sense at all!

 
Posted : 09/10/2015 4:59 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

That was exactly it. Thank you so much jaclaz!!!

Actually the one that should be thanked is PaulSanderson and his trademarked 😯 "normal cockup" suggestion on the given thread wink .

jaclaz

 
Posted : 09/10/2015 5:25 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

That was exactly it. Thank you so much jaclaz!!!

Actually the one that should be thanked is PaulSanderson and his trademarked 😯 "normal cockup" suggestion on the given thread wink .

jaclaz

Thanks Jaclaz - always wanted to be famous for something - "normal cockup" it is then )

 
Posted : 09/10/2015 5:32 pm
Share: