@athulin
I don't have Linux. Never used it in my life, so the learning curve would be too steep right now to get something done soon. Furthermore I think you're suggesting to look into open source code ? Never done that either. I'm not good with reading other people's code. I like to implement from a spec (which we don't have for NTFS, and I asked my contacts at MS, they couldn't give it).
Ok I'll post the bytes (runs) for one instance (next post)
I implemented runs per this webpage
http//
Here's the byte sequence for a huge (3.5 GB file)
A fresh perspective on it may do wonders, maybe I'm looking over the obvious ?
42 20 01 2D 33 AF 00 33 00 00 01 E1 17 CC A3 02 70 01 79 10 03 33 30 A4 02 D5 71 01 42 10 7D CF 81 B7 00 43 ….
What I get from this is two valid runs with sizes not enough to cover the full file. The second run is negative (can you confirm this) and the third one fails for me as the offset is too big (I expect a value of 0 (=sparse) or a value <= 8 to fit in the 64bit offset variable)
Good news. I implemented the 'fixup' as explained here
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=8010
And the runs issue went away !!
I still have to do an actual compare of the 3.5 GB file … but it's certainly looking very good !
Unless the fixup solved it, I would have the whole record (1024 bytes) next time since it's easier to interpret then. Don't forget to cut off the slack data in the extraction of file (allocated-actual size).
It was the fixup !!
> Don't forget to cut off the slack data in the extraction of file
I don't understand what you mean by that ?
On a different but related topic, do you know how to find MFT records that belong to a base MFT record for files that span MFT records ?
Last, Alternate Data Streams (ADS). I understand they are simply DATA attributes in the file. How do I know, when I search for the DATA attributes, that I have the real file stream or an alternate one ? And where is the filename stored for ADSs ?
Cheers.
Made real good progress today after te fixup fix. Several "weird" issues went away.
> Don't forget to cut off the slack data in the extraction of file
I don't understand what you mean by that ?
If you extract all data according to the runs, it will be cluster size aligned and if the file's real size is slightly less, then you will also extract file slack data (which is just leftover in sectors from previous files).
On a different but related topic, do you know how to find MFT records that belong to a base MFT record for files that span MFT records ?
Not sure what you mean. A file (or its data) can be resident or non-resident. Hmm wait, do you mean records that are larger than to fit inside the 1024 bytes? If so, then I still haven't look at it so not sure.
Last, Alternate Data Streams (ADS). I understand they are simply DATA attributes in the file. How do I know, when I search for the DATA attributes, that I have the real file stream or an alternate one ? And where is the filename stored for ADSs ?
Have a look here; http//
> which is just leftover in sectors from previous files
Of course, that is all nicely handled by my code. NTFS is simply another file system supported by IsoBuster.
> do you mean records that are larger than to fit inside the 1024 bytes
Something like that yes. Multiple MFT records for one file. Per this MS document http//
I seem to have a few of those files on my system.
I'll check out your ADS link
On a different but related topic, do you know how to find MFT records that belong to a base MFT record for files that span MFT records ?
Records that span more than one MFT entry have an AttributeList attribute, this is a list of the MFT attributes and records which MFT entry each attribute is in.
Thanks Paul.
It is by finding the AttributeList attribute that I know that I have a few of these files on my system.
However it is unclear to me how to interpret that data to come to the other MFT entries ?
Does the list contain other MFT id's ?
Yes the list contains a list of all the attributes for the file and which MFT entry they can be found in. The attribute list is always in the base MFT entry