Join Us!

Notifications
Clear all

Windows inodes?  

  RSS
vonnz
(@vonnz)
New Member

I recently was doing a bit of reading about inodes in unix type systems. I had a knoppix boot cd which i loaded up on my windows xp laptop. When I was browsing the mounted windows hard drive I ran the command to see if windows had inodes:

ls -li

to my surprise there were 'numbers' listed before the permissions like this:

10344 drwxrwxrwx 1 knoppix knoppix 4096 Feb 20 02:38 backup

I am guessing that the 10344 is the inode, however i read at few places on the net that said windows did not have inodes. Can anyone clarify what I am seeing here?

The other odd thing about these 'numbers', if they are indeed windows inodes is that they don't seem incremental. For instance, a directory created feb 20 2005 has an inode of 10344, A directory created Nov 2007, 2002 has an inode of 27927. Aren't inodes created incrementally?

Quote
Posted : 09/03/2005 11:01 am
Jamie
(@jamie)
Community Legend

Something to do with MFT entries, perhaps? Starting clusters?

Wild guesses…anyone know for sure?

Jamie

ReplyQuote
Posted : 09/03/2005 12:01 pm
gmarshall139
(@gmarshall139)
Active Member

My guess is it's random data that's being interpreted as an inode. Again, it's a guess. I've got some material on this at home, I'll check it tonight and see if I can glean anything else.

ReplyQuote
Posted : 09/03/2005 7:02 pm
vonnz
(@vonnz)
New Member

thanks for help guys. 🙂 I am scratching my head on this one. Gmarshall, are you referring to book you have that has this information? I'd be interested to know the title.

ReplyQuote
Posted : 10/03/2005 8:06 am
gmarshall139
(@gmarshall139)
Active Member

It's a text from Guidance's advanced forensics class. It's not available unless you go to the class. So you can get one for about $3000. We went through file systems a lot. Mainly NTFS but also Mac, Unix, Linux, etc.

ReplyQuote
Posted : 10/03/2005 2:31 pm
vonnz
(@vonnz)
New Member

Thanks for the info Gmarshall. Did have anything about the possible inodes in windows?

ReplyQuote
Posted : 11/03/2005 1:32 am
gmarshall139
(@gmarshall139)
Active Member

Can you post the inode records that you're seeing. At least a couple of them. They should be 128 bytes in length. I can find no reference of Windows using inodes. Are your hits within the MFT? Also, if you are booting from a linux disk then linux is your OS. Linux does use inodes.

ReplyQuote
Posted : 12/03/2005 5:12 pm
keydet89
(@keydet89)
Community Legend

After watching this thread for a while, I decided to look into it for myself.

What I've found so far is this:

http://linux-ntfs.sourceforge.net/ntfs/help/glossary.html#i

Specifically:
An inode is the filesystems representation of a file, directory, device, etc. In NTFS every inode it represented by an MFT FILE record.

Now, we know that Windows itself does not use the concept of inodes:
(from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vclib/html/_crt__stat.2c_._wstat.2c_._stati64.2c_._wstati64.asp )
The inode, and therefore st_ino, has no meaning in the FAT, HPFS, or NTFS file systems.

But keep in mind, that's from a Windows perspective. So the real question isn't whether or not NTFS uses inodes (b/c we know it doesn't), but how the NTFS driver under Linux populates the inode field.

Still looking…

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 14/03/2005 12:08 pm
gmarshall139
(@gmarshall139)
Active Member

So the real question isn't whether or not NTFS uses inodes (b/c we know it doesn't), but how the NTFS driver under Linux populates the inode field.

I think you're right on the money here.

ReplyQuote
Posted : 14/03/2005 1:44 pm
keydet89
(@keydet89)
Community Legend

I think you're right on the money here.

Not a lot of help there…

I did a lot more looking around, specifically on the Linux NTFS site, but didn't find anything specific. However, I did find something useful here:

http://www.sleuthkit.org/sleuthkit/docs/skins_ntfs.html

Specifically:

Each MFT entry is given a number (similar to inode numbers in UNIX).

So, I guess the final answer is…what you're looking at is the MFT entry number.

Hope that helps,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 15/03/2005 1:41 pm
vonnz
(@vonnz)
New Member

cheers for that! I'll have to do my reading up on MFT now 🙂

ReplyQuote
Posted : 18/03/2005 5:56 am
Share: