That worked. Thank you so much.
mscotgrove, I ran into one more problem.
01. 786432 -- 26110
fragment 01 786432 + 26110 = 812542
02. 375748 -- 274
fragment 02 375748 + 786432 = 1162180
03. 8143391 -- 536
fragment 03 8143391 + 1162180 = 9305571
04. 8818042 -- 412
fragment 04 8818042 (+/-) ? = 1346397 <-- problem here
05. 144676 -- 1580
fragment 05 144676 + 1346397 = 1491073
06. 8178099 -- 1089
fragment 06 8178099 + 1491073 = 9669172
07. 168971 -- 3579
fragment 07 168971 + 9669172 = 9838143
I can prove everything except "fragment 04". I cannot figure out how to calculate that address. I tried every combination that I could think of and I still cannot figure out how that lcn was calculated. I know the lcn (1346397) is correct, I got it from winhex.
Solving for x we get (7471645), which makes no sense relative to the other figures we have; at least nothing obvious. Any idea?
8818042 - 7471645 = 1346397.
In this instance, the next part of the cluster run, is located before the current cluster run.
In my experimentation, if the number you obtain is equal to or greater than half of it's maximum value, the value of X is subtracted from the current position, not added.
Hope that helps.
If you stuck to hex you would see that the 4 fragment number was negative 0x868dfa If a positive number was required, it would be stored as 0x00868dfa.
The think the best way for you to get quick results is to download the demo of my software
If you then run a Recover function (even in demo mode) the log will store the fragments (up to 0x40 in nunmber for each file). These can be viewed by clicking on the Frags column in the log. From this you should beable to see many examples of how data runs are stored. It is the same for any file, and the $MFT is just a file.
A better link would be cnwrecovery.com with a "y".
Thanks - I have corrected it now.
My question was how can I calculate the x value. Really both the x value and the answer are undefined. The x value must first be defined before I can derive the answer (the other x value). I knew the answer from looking at the cluster list using WinHex. However, in code both are undefined until I define them. So, I really need to know what combination of known numbers (listed above) is used to create the x value. I understood that I must subtract them, once I derived the x value, but without it, I could never derive it.
For example 9305571 - 8818042 != 1346397
Thus, how do I derive that magic number (7471645)? Thanks
On a side note, mscotgrove, you should make your signature a link to your software.
Should I be looking at the $Bitmap record to help me with this?