NTFS MFT Analysis Identifying Cluster run

Dermot29 · 2014-04-24T15:51:01Z

I am cuurently working on an NTFS analysis of a 249 mb pen drive formatted to ntfs on a windows 8 machine.The ntfs system I created has 512 bytes per sector, and 1 sector per cluster. I have done a boot sector analysis and everything seems to be making sense. The problem I am having now is that I cannot identify the cluster run numbers for a jpg file I have on the system. I know that the data of the file starts in cluster 288 and ends in cluster 304. What I have in the cluster run doesn't make much sense to me21 11 20 01 00 00 00 00 FF FF FF FF 82 79 47 11.except for (0120) = 288 which is the starting sector of the data and (0121) which is the next.I just need to be able to determine accurately the cluster run numbers that specify the data clusters for the file 288 to 304.I am also trying to understand why the base mft record is at 170494 and the first data record is at 170564,70 sectors after. I understand the first 16 entrys are reserved, but it doesn't add up.I got some stats from active disk editor2 clusters per file record segment, so I think each mft is 1024 bytes, 2 sectors,8 clusters per index block, don't know what that is ?Any help with this would be great, particularly regarding the cluster run numbersThanks

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by mscotgrove 11 years ago

12 Posts

4 Users

0 Reactions

9,417 Views

RSS

Chris_Ed

(@chris_ed)

Reputable Member

Joined: 16 years ago

Posts: 314

01/05/2014 3:12 pm

Well done! I think if you fiogure things out yourself then you retain it better.

Dcode is good, but personally I prefer Stampede as if you're not entirely sure of the type of timestamp it can help!

ReplyQuote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

01/05/2014 3:44 pm

The demo of my www.cnwrecovery.com software has a feature in the sector view. If you display a MFT sector and move the cursor over the hex display, it will decode most of the elements. This includes the dates which you will discover are stored in several places. It will also decode the first cluster run.

It is not 100% comprehensive, and only works on first 0x200 bytes of the $MFT entry, but may be a quick way to help you understand the $MFT

ReplyQuote

Page 2 / 2 Prev

Android Forensics

I have conducted a logical and partial extraction of a ...

By SgtAndroid , 2 days ago
Article: The Balance Between Digital Forensic Examiners And Digital Evidence Technicians: Expertise Vs. Efficiency

Can digital forensic labs cut backlogs without cutting ...

By Zoe , 3 days ago
Prefetch Question

Hello All, I have a question regarding Windows prefet...

By Forensic_Tester , 3 days ago

8 Forums
15.7 K Topics
92.3 K Posts
172 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed