MFT Data Runs

General (Technical, Procedural, Software, Hardware etc.)

Last Post by JimC 2 months ago

2 Posts

2 Users

0 Likes

543 Views

RSS

nathan14280

(@nathan14280)

Posts: 1

New Member

Topic starter

I need to do a data run (0x80) and i need to show the calculations of starting cluster number, number of clusters. How should i do this? it also says to carefully consider the VCN while calculating the starting position of cluster. I have an image of the MFT file record but am unsure how to attach it to this post.

Thanks

Posted : 28/09/2023 4:05 pm

JimC

(@jimc)

Posts: 86

Estimable Member

Microsoft call MFT data runs "mapping pairs". In some texts, they are called data runs or extents.

For a general overview of how MFT mapping pairs work, I would suggest checking p280 of Brian Carrier's excellent book "File System Forensic Analysis".

For a practical example of how the data can be decoded, I would suggest you look at Appendix A9 (p396) in Samme's and Jenkinson's book "Forensic Computing: A practitioner's guide" (2nd edition).

Both books are available on Amazon.

Finally, Microsoft themselves document it here:

https://learn.microsoft.com/en-gb/windows/win32/devnotes/attribute-record-header

Jim

forensicinternals.com

Posted : 19/10/2023 2:10 pm

8 Forums
15.5 K Topics
91.9 K Posts
14 Online
39.8 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed