Join Us!

NTFS MFT data run d...
 
Notifications
Clear all

NTFS MFT data run decoding problem  

  RSS
mrthaggar
(@mrthaggar)
New Member

Hi all,

Hopefully this is the right place to post this.

I'm having a bit of a nightmare trying to calculate some data runs present within an NTFS MFT entry, to be more specific, inside of the index allocation attribute.

The data runs taken from the attribute are

I've written some code to decode them, but for some reason the final value being returned is completely wrong, and doesn't point to an INDX file, like the rest do.

I'm not sure if this is a problem with my decoder, or if that piece of the run is actually telling me something different.

If anyone can help decode these runs, or help shine a bit of light on what might be going wrong, I'd appreciate it.

Thanks

The values that I've gotten from decoding the runs are

Quote
Posted : 14/02/2013 6:20 pm
jaclaz
(@jaclaz)
Community Legend

Can you try joakim's thingy here?
http//www.forensicfocus.com/Forums/viewtopic/t=8010/
http//code.google.com/p/mft2csv/
maybe it gives the results you are looking for.

jaclaz

ReplyQuote
Posted : 14/02/2013 7:54 pm
mscotgrove
(@mscotgrove)
Senior Member

1 - THINK in HEX. It is much easier

2 - The frst offfset is 0xbeeef

3 - Multiply this by sectors per cluster (usually 0x8)

4 - Add in the start of of the partition, eg 0x3f, 0x800

ReplyQuote
Posted : 14/02/2013 8:18 pm
PaulSanderson
(@paulsanderson)
Senior Member

The normal cockup™ here is not to apply the fixup values first, have you done that?

Also it would be useful to provide a screenshot of the complete MFT record, with the bytes that you think are relevant highlighted, so that we can see that you are actually pointing at the start of the data runs.

ReplyQuote
Posted : 14/02/2013 8:20 pm
mrthaggar
(@mrthaggar)
New Member

Thanks for the input guys.

I've just this second realised that part of of the data run is within the last two bytes of the sector, therefore I've not looked into the fixup array to get the true values.

I'll go do that now and let you know how I get on!

Thanks Paul for pointing out the error (cockup) )

ReplyQuote
Posted : 14/02/2013 8:50 pm
Share: