NTFS MFT data run d...
 
Notifications
Clear all

NTFS MFT data run decoding problem

5 Posts
4 Users
0 Likes
1,492 Views
(@mrthaggar)
Posts: 11
Active Member
Topic starter
 

Hi all,

Hopefully this is the right place to post this.

I'm having a bit of a nightmare trying to calculate some data runs present within an NTFS MFT entry, to be more specific, inside of the index allocation attribute.

The data runs taken from the attribute are

I've written some code to decode them, but for some reason the final value being returned is completely wrong, and doesn't point to an INDX file, like the rest do.

I'm not sure if this is a problem with my decoder, or if that piece of the run is actually telling me something different.

If anyone can help decode these runs, or help shine a bit of light on what might be going wrong, I'd appreciate it.

Thanks

The values that I've gotten from decoding the runs are

 
Posted : 14/02/2013 6:20 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Can you try joakim's thingy here?
http//www.forensicfocus.com/Forums/viewtopic/t=8010/
http//code.google.com/p/mft2csv/
maybe it gives the results you are looking for.

jaclaz

 
Posted : 14/02/2013 7:54 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

1 - THINK in HEX. It is much easier

2 - The frst offfset is 0xbeeef

3 - Multiply this by sectors per cluster (usually 0x8)

4 - Add in the start of of the partition, eg 0x3f, 0x800

 
Posted : 14/02/2013 8:18 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

The normal cockup™ here is not to apply the fixup values first, have you done that?

Also it would be useful to provide a screenshot of the complete MFT record, with the bytes that you think are relevant highlighted, so that we can see that you are actually pointing at the start of the data runs.

 
Posted : 14/02/2013 8:20 pm
(@mrthaggar)
Posts: 11
Active Member
Topic starter
 

Thanks for the input guys.

I've just this second realised that part of of the data run is within the last two bytes of the sector, therefore I've not looked into the fixup array to get the true values.

I'll go do that now and let you know how I get on!

Thanks Paul for pointing out the error (cockup) )

 
Posted : 14/02/2013 8:50 pm
Share: