To get the sector number from the cluster number you have to multiple it by sectors per cluster - typically 8.
You then need to add the sector number for the start of the partition, best calculated from the $MFT entry as I described earlier
Following those steps is running me around in circles. I know that you can convert a cluster to a PSN or LSN by multiplying it by 8 and adding 63 or subtracting 7, I get that. But, what I don't understand is how does one go from 2031 to 2982460? With the given information I have already provided could someone please show me how they would use that information to figure out that hh.exe's $DATA starts at cluster 2982460? One said it is not apart of the equation, then how does it exist without being found and how is it found without ever existing? Surely, one must be able to find the start of the $DATA using its MFT record.
If I take 2031 multiply it by 8 it becomes 16248. Now if I do as you suggested which was to add it to the starting cluster described in MFT record 0, then that would mean I would add 786432 to 16248 which is no where near 2982460, so that method does not work to find the start of the $DATA for at least this file.
Please someone just show me what you would do providing your calculations so that I can literally see how you would go from MFT record 27, posted above and MFT record 0 (also posted above) to make it to cluster 2982460 which is the confirmed start of the hh.exe's data per winhex.
thanks
I think the whole thread is getting confused.
I suggest you do dumps for sectors as a sector number rather than an offset from somewhere Your $MFT has an offset from the start of the partition, ie 0x0c000000 bytes
Your test.dat MFT is also from start of partition
The hh.exe MFT is from the start of the MFT
None of these are an absolute sector numbers, just relative locations
Also, personally I find it much easier to think and work in HEX - ie ignore decimal it does fit this kind of work.
One useful dump you could give us is the MBR, ie sector 0
No need, I'm sorry. I finally realized that MFT might store data on disk at a sector somewhere in front of the MFT. Until I realized that by navigating to the sector 16311, I thought it had to be beyond that and I found it first in the windows folder, so basically I was comparing my results to the wrong file. I was really racking my brain on this and I'm sorry I caused a confusion (I'm still learning). At any rate, thanks to everyone for all the help. regards
95% of MFT files start at cluster 0xc0000, ie at about 6GB into the disk. The first 6GB is not wasted!
point taken. oops