Problem reading MFT

Data runs are offsets frim the previous data run. They can be positive or negative, hence the for a positive value, often a 0 has to be added to the offset if it is inthe range 0x8??? to 0xf???

Thus in your example, the second run will be

Cluster 0xc0000 + 0xfbd0c0 =

or 0xc0000 - 0x42f40
= 0x7d0c0 (approx, not entirely sure about arithmetic)

As the second value is 0xfbd0c0 this will be treated as a negative number. If the lengtn was 4, and not 3, then it would be a positive number.

NB, it is MUCH simpler to think in hex, rather than decimal when working with sectors, offsets etc

Yes, youre right!!!!! I had read that the localizacion could be negative but i thought that it was when the first bytes where between 80 a FF, not the last ones, but in little endian, the last are the first.
So, I searched that cluster and there I found the next part of MFT (its not the one I was saying before, but it also contains the other files, maybe the one I said is a copy or something like this).
Now, I need to make a c# app to read all this files, summarizing the concepts i learned, the first Data run in MFT attribute is the same cluster I'm reading (in one of my posts I showed how the localization of the first data run was pointing to the mft cluster itself), then the next data runs point to the localization and clusters count of the next parts of MFT (in my case theres only one but there could be more). I know which is the last data run when i reach a 00 00 (as found after the second attribute), is this ok??

And the last question, as you can see in the first image I uploaded in this thread, I marked in red where the data attribute started 80 00 00 00 and then its lenght 50 00 00 00 in green, and when it fisished in yellow 8c (counting the byte lenght 80 dec). Now the first data run starts in 00C0000140 being 32 42 32 00 00 0c and then the second. But, from the start of the data attribute until I reach this offset where starts the first data run, there 64 bytes I don't know what they are, anyway, how do I know the first attribute is there and not before??

Thanks to all!!!

http//www.reddragonfly.org/ntfs/concepts/data_runs.html

This site may give you more help

The 0x40 bytes you mention as defined by the value in offset 0x20 of the Data record.

The byte 0x8c is actually a random value at the end of the data run. The data run is actually terminated by a single byte of 0x00 where the next attribute byte should be. The attribute byte is actually 2 nibbles, one for length of length, and other length of offset .

I have sent you a PM that may assist

http//www.reddragonfly.org/ntfs/concepts/data_runs.html

This site may give you more help

The 0x40 bytes you mention as defined by the value in offset 0x20 of the Data record.

The byte 0x8c is actually a random value at the end of the data run. The data run is actually terminated by a single byte of 0x00 where the next attribute byte should be. The attribute byte is actually 2 nibbles, one for length of length, and other length of offset .

I have sent you a PM that may assist

Ok, thank you very much for your help, googling about all this I couldnt find any info, you all solved my problem, thanks!!