Hello,
I think there used to be a topic or thread which commented on this, but it seems to be broken/bad.
What are the $I30 files that are located. I thought it was a file which had the attributes of the folder or an index of the folder. However when I attempt to open the $I30 file in a text editor I get unreadable characters.
Could someone please elaborate on these files or a link to some resource which does?
Thanks!
*I should specify that this is with FTK 2.0
If you have a link I can take a look at the thread to see what's wrong (all the ones I found with a search seemed OK).
Jamie
http//
Aha, sorry, not under my jurisdiction 😉
Try a search for I30 here, seems to throw out a few results.
Jamie
It's all a bit confusing but here's my understanding (using Brian Carrier's FSFA book and Google)
The $I30 is the a "file" name given to NTFS MFT attributes containing file name indexes for directories. NTFS stores the file name contents of the directory in several places, depending on the number of files in the directory
- For directories with just a few files, all are stored resident in the MFT entry $INDEX_ROOT
- For directories with many files, the indexes are stored non-resident in the MFT entry $INDEX_ALLOCATION
- The allocation status of these entries are managed by the $BITMAP MFT entry
NTFS uses B-tree structures to store and quickly access the data. In an example I just looked at, the HISTORY.IE5 directory on a computer had many files. So, the $INDEX_ROOT attribute (with a name of $I30) was not large enough to store the B-tree index of file names. Instead, it points to index records stored in the non-resident $INDEX_ALLOCATION. When I view the contents of that file, I see the B-tree index of file names in the directory.
Why “$I30”? The msdb blog explains
Filenames are largely alphanumeric, and the first alphanumeric character in the UNICODE table is 0x30 (48 for those who are hexadecimally challenged). “$I30” is a shorthand method for saying “Index that’s alphanumeric”. (http//
I cannot access the forum link you posted so I'm not sure if I am answering your question or not. I hope this is helpful.
I cannot access the forum link you posted so I'm not sure if I am answering your question or not. I hope this is helpful.
The link goes to a post from FTK's old forum that apparently didn't make it to the new one. Your explanation is, I think, quite good. FTK, at least in 1.x, incorrectly includes $I30 attributes as files, which they are not. As you stated, they are index attributes for directories and list the contents. As they do not always get purged or updated, they can contain some good information.