NTFS MFT Example презентация

Октябрь 27, 2021

Содержание

2. MFT Table Entry
3. MFT Table Entry Magic marker: FILE
4. MFT Table Entry Update Sequence Offset: 0x 00 30 Three entries in update sequence
5. MFT Table Entry Sequence number is 0x 00 08
6. MFT Table Entry Link count is 00 01 (one)
7. MFT Table Entry First attribute is located at offset 0x 00 38
8. MFT Table Entry Flags are 0x 01 00 Record in use
9. MFT Table Entry Used size of MFT entry: 0x 00 00 01 68 = 360
10. MFT Table Entry Allocated size of MFT entry: 0x 00 00 04 00 = 102410
11. MFT Table Entry File Reference 0
12. MFT Table Entry Next attribute ID 0004
13. MFT Table Entry MFT Record Number 00 02 3C E0
14. MFT Table Entry Attribute Type: 00 00 00 10 Standard
15. MFT Table Entry Attribute Length: 00 00 00 60
16. MFT Table Entry Non-resident flag: resident
17. MFT Table Entry Length of name: 0
18. MFT Table Entry Offset to name: 0
19. MFT Table Entry Flags: 0
20. MFT Table Entry Attribute Identifier: 0
21. MFT Table Entry Size of Content: 0x 48 = 72
22. MFT Table Entry Offset to Content: 0x 18 = 24
23. MFT Table Entry Standard Information Content: File Creation Time 4029AF606C50C701
24. MFT Table Entry Standard Information Content: File Alternation Time 0046B5606C50C701 2/14/2007, 19:14:41 UTC
25. MFT Table Entry Standard Information Content: MFT Change Time 90CE7E856C50C701 2/14/2007, 19:15:42 UTC
26. MFT Table Entry Standard Information Content: File Read Time 0046B5606C50C701 2/14/2007, 19:14:41 UTC
27. MFT Table Entry DOS Permissions 00 00 00 20
28. MFT Table Entry Maximum Number of Versions 00 00 00 00
29. MFT Table Entry Version Number 00 00 00 00
30. MFT Table Entry Class ID 00 00 00 00
31. MFT Table Entry Owner ID 00 00 00 00
32. MFT Table Entry Security ID 00 00 03 0F
33. MFT Table Entry Quota Charged 00 00 03 0F
34. MFT Table Entry Update Sequence Number 00 00 00 02 60 E3 93 E8
35. MFT Table Entry Attribute Type Identifier 30: $FILENAME
36. MFT Table Entry Length of Attribute: 0x 70
37. MFT Table Entry Resident:
38. MFT Table Entry No Name
39. MFT Table Entry No Name
40. MFT Table Entry No Flages
41. MFT Table Entry Attribute identifier 2
42. MFT Table Entry Size of Content: 0x 52
43. MFT Table Entry Offset to Content: 0x 18 This gives us the structure of the attribute
44. MFT Table Entry File Reference to parent directory: 00 3A 00 00 00 02 B8 E4
45. MFT Table Entry File creation time: 4029AF606c50C701 2/14/2007 19:14:41 UTC
46. MFT Table Entry File modification time: 0046B5606c50C701 2/14/2007 19:14:41 UTC
47. MFT Table Entry File access time: 0046B5606c50C701 2/14/2007 19:14:41 UTC
48. MFT Table Entry MFT modification time: 0046B5606c50C701 2/14/2007 19:14:41 UTC
49. MFT Table Entry Allocated Size of File
50. MFT Table Entry Real Size of File
51. MFT Table Entry Flags
52. MFT Table Entry Security ID
53. MFT Table Entry Filename length in Unicode Characters: 8
54. MFT Table Entry Filename namespace
55. MFT Table Entry File name / extension in unicode: test.txt
56. MFT Table Entry Attribute Type: Object_ID
57. MFT Table Entry Length of Attribute: 0x28
58. MFT Table Entry Length of Attribute: 0x28
59. MFT Table Entry B0: Resident B1-4: No Name B 5-6: Attribute ID: 3
60. MFT Table Entry Size of content: 0x10 Offset to content 0x18 Check: Length of attribute is
61. MFT Table Entry Object ID:
62. MFT Table Entry Object ID:
63. MFT Table Entry Attribute Type: $DATA
64. MFT Table Entry Attribute Length: 0x30
65. MFT Table Entry Resident
66. MFT Table Entry No name
67. MFT Table Entry Size of contents: 0x17
68. MFT Table Entry Offset to contents: 0x18
69. MFT Table Entry Contents
71. Скачать презентацию

Слайд 2

MFT Table Entry

Слайд 3

MFT Table Entry
Magic marker: FILE

Слайд 4

MFT Table Entry
Update Sequence Offset: 0x 00 30
Three entries in update

sequence

Слайд 5

MFT Table Entry
Sequence number is 0x 00 08

Слайд 6

MFT Table Entry
Link count is 00 01
(one)

Слайд 7

MFT Table Entry
First attribute is located at offset
0x 00 38

Слайд 8

MFT Table Entry
Flags are 0x 01 00
Record in use

Слайд 9

MFT Table Entry
Used size of MFT entry:
0x 00 00 01 68

=
360

Слайд 10

MFT Table Entry
Allocated size of MFT entry:
0x 00 00 04 00

=
102410

Слайд 11

MFT Table Entry
File Reference 0

Слайд 12

MFT Table Entry
Next attribute ID 0004

Слайд 13

MFT Table Entry
MFT Record Number
00 02 3C E0

Слайд 14

MFT Table Entry
Attribute Type:
00 00 00 10
Standard

Слайд 15

MFT Table Entry
Attribute Length:
00 00 00 60

Слайд 16

MFT Table Entry
Non-resident flag:
resident

Слайд 17

MFT Table Entry
Length of name: 0

Слайд 18

MFT Table Entry
Offset to name: 0

Слайд 19

MFT Table Entry
Flags: 0

Слайд 20

MFT Table Entry
Attribute Identifier: 0

Слайд 21

MFT Table Entry
Size of Content: 0x 48 = 72

Слайд 22

MFT Table Entry
Offset to Content:
0x 18 = 24

Слайд 23

MFT Table Entry
Standard Information Content:
File Creation Time
4029AF606C50C701

Слайд 24

MFT Table Entry
Standard Information Content:
File Alternation Time
0046B5606C50C701
2/14/2007, 19:14:41 UTC

Слайд 25

MFT Table Entry
Standard Information Content:
MFT Change Time
90CE7E856C50C701
2/14/2007, 19:15:42 UTC

Слайд 26

MFT Table Entry
Standard Information Content:
File Read Time
0046B5606C50C701
2/14/2007, 19:14:41 UTC

Слайд 27

MFT Table Entry
DOS Permissions
00 00 00 20

Слайд 28

MFT Table Entry
Maximum Number of Versions
00 00 00 00

Слайд 29

MFT Table Entry
Version Number
00 00 00 00

Слайд 30

MFT Table Entry
Class ID
00 00 00 00

Слайд 31

MFT Table Entry
Owner ID
00 00 00 00

Слайд 32

MFT Table Entry
Security ID
00 00 03 0F

Слайд 33

MFT Table Entry
Quota Charged
00 00 03 0F

Слайд 34

MFT Table Entry
Update Sequence Number
00 00 00 02 60 E3 93

E8

Слайд 35

MFT Table Entry
Attribute Type Identifier
30: $FILENAME

Слайд 36

MFT Table Entry
Length of Attribute: 0x 70

Слайд 37

MFT Table Entry
Resident:

Слайд 38

MFT Table Entry
No Name

Слайд 39

MFT Table Entry
No Name

Слайд 40

MFT Table Entry
No Flages

Слайд 41

MFT Table Entry
Attribute identifier 2

Слайд 42

MFT Table Entry
Size of Content: 0x 52

Слайд 43

MFT Table Entry
Offset to Content: 0x 18
This gives us the structure

of the attribute

Слайд 44

MFT Table Entry
File Reference to parent directory:
00 3A 00 00 00

02 B8 E4

Слайд 45

MFT Table Entry
File creation time:
4029AF606c50C701
2/14/2007 19:14:41 UTC

Слайд 46

MFT Table Entry
File modification time:
0046B5606c50C701
2/14/2007 19:14:41 UTC

Слайд 47

MFT Table Entry
File access time:
0046B5606c50C701
2/14/2007 19:14:41 UTC

Слайд 48

MFT Table Entry
MFT modification time:
0046B5606c50C701
2/14/2007 19:14:41 UTC

Слайд 49

MFT Table Entry
Allocated Size of File

Слайд 50

MFT Table Entry
Real Size of File

Слайд 51

MFT Table Entry
Flags

Слайд 52

MFT Table Entry
Security ID

Слайд 53

MFT Table Entry
Filename length in Unicode Characters: 8

Слайд 54

MFT Table Entry
Filename namespace

Слайд 55

MFT Table Entry
File name / extension in unicode: test.txt

Слайд 56

MFT Table Entry
Attribute Type: Object_ID

Слайд 57

MFT Table Entry
Length of Attribute: 0x28

Слайд 58

MFT Table Entry
Length of Attribute: 0x28

Слайд 59

MFT Table Entry
B0: Resident
B1-4: No Name
B 5-6: Attribute ID: 3

Слайд 60

MFT Table Entry
Size of content: 0x10
Offset to content 0x18
Check: Length of

attribute is 0x28

Слайд 61

MFT Table Entry
Object ID:

Слайд 62

MFT Table Entry
Object ID:

Слайд 63

MFT Table Entry
Attribute Type: $DATA

Слайд 64

MFT Table Entry
Attribute Length: 0x30

Слайд 65

MFT Table Entry
Resident

Слайд 66

MFT Table Entry
No name

Слайд 67

MFT Table Entry
Size of contents: 0x17

Слайд 68

MFT Table Entry
Offset to contents: 0x18

Слайд 69

MFT Table Entry
Contents