MFT Directoy Entries

You will have to parse the $I30 stream according to carrier's book.

So, will you let the us beta you software when it's ready?

Wait a second, how did you know I purchased that book? I haven't got it yet, but it is in the mail… weird or did you just assume I had it?

And, of course, it would be an honor to let this community beta my software. I am hoping to be done with it before next semester. I'll keep you informed if you would like me to . . . I'll make a new post when it is ready I guess.

Anyway, in terms of the OP. OK, I will do some investigation on this a little further (a little trial and error) in lieu of waiting for the book to arrive. thanks

There are also vairous NTFS sites on the web.

NTFS is extremely complex, especially if you want to deal with compressed / encrypted / sparse files.

BTW have fun when you're dealing with ATTRIBUTE_LISTS and don't forget to fixup you MFT records.

i have found a few of them.

rightfully so, but it isn't rocket science, it is actually a lot easier to understand than many might tell you otherwise. It makes a lot of sense after all.

yes, fun will be had. I am about 95% complete with my project, so looks like the fun is just about over. or has it just begun?

MFT number 5 has a file '.' This is the Index of the disk, and stores the tree structure of the directory

MFT number 5 has a file '.' This is the Index of the disk, and stores the tree structure of the directory

yes it's the root and the $Volume file carries the name of the volume.

Hi.

I just figured it out. You have to look at the records file reference number. The upper two bytes of the file reference number is the MFT Record and the lower six bytes is the records sequence number. So, you would have to find the file, then read the MFT in reverse to find the full path of the file or directory.

either that or you start at . parse the idx buffer and recursivel parse through all the files/folder therein.

Or you can peek at a this
http//www.ntfs-3g.org/index.html#download