Notifications
Clear all

$I30

6 Posts
4 Users
0 Reactions
3,618 Views
craigburke
(@craigburke)
New Member
Joined: 17 years ago
Posts: 2
Topic starter  

Hello,
I think there used to be a topic or thread which commented on this, but it seems to be broken/bad.
What are the $I30 files that are located. I thought it was a file which had the attributes of the folder or an index of the folder. However when I attempt to open the $I30 file in a text editor I get unreadable characters.

Could someone please elaborate on these files or a link to some resource which does?

Thanks!

*I should specify that this is with FTK 2.0


   
Quote
Jamie
(@jamie)
Moderator
Joined: 5 years ago
Posts: 1288
 

If you have a link I can take a look at the thread to see what's wrong (all the ones I found with a search seemed OK).

Jamie


   
ReplyQuote
craigburke
(@craigburke)
New Member
Joined: 17 years ago
Posts: 2
Topic starter  

http//forums.accessdata.com/viewthread.php?tid=676


   
ReplyQuote
Jamie
(@jamie)
Moderator
Joined: 5 years ago
Posts: 1288
 

Aha, sorry, not under my jurisdiction 😉

Try a search for I30 here, seems to throw out a few results.

Jamie


   
ReplyQuote
ahoog
(@ahoog)
Eminent Member
Joined: 17 years ago
Posts: 47
 

It's all a bit confusing but here's my understanding (using Brian Carrier's FSFA book and Google)

The $I30 is the a "file" name given to NTFS MFT attributes containing file name indexes for directories. NTFS stores the file name contents of the directory in several places, depending on the number of files in the directory

- For directories with just a few files, all are stored resident in the MFT entry $INDEX_ROOT
- For directories with many files, the indexes are stored non-resident in the MFT entry $INDEX_ALLOCATION
- The allocation status of these entries are managed by the $BITMAP MFT entry

NTFS uses B-tree structures to store and quickly access the data. In an example I just looked at, the HISTORY.IE5 directory on a computer had many files. So, the $INDEX_ROOT attribute (with a name of $I30) was not large enough to store the B-tree index of file names. Instead, it points to index records stored in the non-resident $INDEX_ALLOCATION. When I view the contents of that file, I see the B-tree index of file names in the directory.

Why “$I30”? The msdb blog explains

Filenames are largely alphanumeric, and the first alphanumeric character in the UNICODE table is 0x30 (48 for those who are hexadecimally challenged). “$I30” is a shorthand method for saying “Index that’s alphanumeric”. (http//blogs.msdn.com/ntdebugging/archive/2008/10/31/ntfs-misreporting-free-space-part-2.aspx)

I cannot access the forum link you posted so I'm not sure if I am answering your question or not. I hope this is helpful.


   
ReplyQuote
(@jimmyw)
Trusted Member
Joined: 20 years ago
Posts: 64
 

I cannot access the forum link you posted so I'm not sure if I am answering your question or not. I hope this is helpful.

The link goes to a post from FTK's old forum that apparently didn't make it to the new one. Your explanation is, I think, quite good. FTK, at least in 1.x, incorrectly includes $I30 attributes as files, which they are not. As you stated, they are index attributes for directories and list the contents. As they do not always get purged or updated, they can contain some good information.


   
ReplyQuote
Share: