I have acquired an NTFS image from a machine running Windows XP, and am having major issues even getting a start on reading the directory structure.
The root directory record is intact and valid, but it doesn't contain attribute 0xA0 which is where the directory listing is normally stored.
Was there some dramatic change in the way directories were stored, between Windows 2000 and Windows XP?
Dirk,
I'm not entirely sure what it is you are asking so will just answer the question in your last paragraph.
The only difference bettween NTFS on XP and 2000 that I am aware of is that in 2000 the MFT entries aren't numbered but are just sequential. In XP the MFT entries actually are numbered, rather than you having to do the maths based on which offset you are at and taking into account the length of each MFT entry, 1024 bytes.
Maybe you could post some more info on the data you are looking at?
Steve
The data I'm looking at is a complete disk image of a Windows XP machine. The root directory entry is intact, and contains the following attributes
0x10 ($STANDARD_INFORMATION)
0x20 ($ATTRIBUTE_LIST)
0x30 ($FILE_NAME) contains "."
0x40 ($OBJECT_ID)
0x50 ($SECURITY_DESCRIPTOR)
0x90 ($INDEX_ROOT)
0xB0 ($BITMAP)
Normally to read a directory listing, you do the following
Look at $INDEX_ROOT, offset 0x0C (flags) – flags & 0x01 is non-zero for this particular directory, indicating that the data should be in the $INDEX_ALLOCATION attribute (0xA0). However, that attribute isn't even present.
As a result, I can't even figure out the directories which exist in the root directory. -/
The interesting thing is, the same computer has two hard drives – the second hard drive doesn't have the problem, but was formatted under Windows 2000 before the machine was updated to Windows XP. The first hard drive was completely reformatted before being updated, which is why I suspected that a change in the format might be what happened.
Dirk
The presence of the ATTRIBUTE_LIST attribute (0x20) is the key here. It is only present in an MFT file record when the number of attributes and their size is too much for one file record to handle. Your missing attribute is probably contained in this attribute and is located in another file record. The main file record you are viewing is the base file record and in its header is the location of the additional file record.
As the earlier answer infdicated, the main change from 2000 to XP was the additional length of the file record header to contain a DWORD with the file record number.