Добавил:

AAA1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Опубликованный материал нарушает ваши авторские права? Сообщите нам.

Вуз:

Харьковский национальный университет радиоэлектроники

Предмет:

[НЕСОРТИРОВАННОЕ]

Файл:

4-1 Основи цифрової криміналістики / лк / lecture 3. Windows File System. NTFS.pptx

Скачиваний:

123

Добавлен:

02.02.2021

Размер:

1.18 Mб

Скачать

☆

<<< < Предыдущая 1 23 / 73 4 5 6 7 > Следующая >>>

Header of a MFT-entry

Attribute: Standard_Information

Attribute: File_Name

Attribute: Data

Attributes

Attribute: Bitmap

End marker

MFT Record Header

Offset	Size	Description		Offset	Size	Description
(Dec)	(bytes)	Description		(Dec)	(bytes)	Description
(Dec)	(bytes)			(Dec)	(bytes)
00	4	FILE or BAAD identifier		24	4	Logical Size of MFT Record
04	2	Offset to update sequence (fix-up)		28	4	Physical size of MFT Record
06	2	Size of Update Sequence and Array		32	8	Base File Reference
08	8	Log File Sequence Number (LSN)		40	2	Next Attribute ID number
16	2	Sequence Number		42	2	“00 00” Padding
18	2	Hard Link Count		44	4	$MFT Record Number
20	2	Offset to Start of Attributes		48	2	Update Sequence Number of Fix-up
		Flags	– Deleted File
22	2	00 00	– Deleted File	50	4	Update Sequence Array
22	2	01 00	– Allocated File	50	4	Update Sequence Array
		02 00	– Deleted Directory
		03 00	– Allocated directory
				24

MFT Record Header

Attribute Headers

•Attributes also have headers

•Contains some information about the attribute stream

•Indicates whether the stream is resident or non resident

Attribute Headers

•Attributes can be one of four types

–Resident and Named

–Resident and Unnamed

–Non Resident and Named

–Non Resident and Unnamed

•Every file has an Unnamed Stream

–But you can add a named stream also known as an alternate data stream or ADS

Resident Unnamed Attribute Header

Offset	Size	Value (hex)	Description
0	4		Attribute Type (e.g. 10 00 00 00)
4	4		Length (including this header)
8	1	00	00 – resident 01 – non resident
9	1	00	Name length in Unicode
10	2	00	Offset to name
12	2	00	Flags
12	2	00	01 00 Compressed
			00 40 Encrypted
			00 80 Sparse
14	2		Attribute ID
16	4	L	Attribute length from end of header
20	2	18	Offset to start of Attribute stream
22	1		Indexed Flag (00 No 01 Yes)
23	1	00	Padding
24	L		The Attribute stream

Resident Named Attribute Header

Offset	Size	Value (hex)	Description
0	4		Attribute Type (e.g. 10 00 00 00)
4	4		Length (including this header)
8	1	00	00 – resident 01 – non resident
9	1	N	Name length in Unicode
10	2	18	Offset to name
12	2	00	Flags
12	2	00	01 00 Compressed
			00 40 Encrypted
			00 80 Sparse
14	2		Attribute ID
16	4	L	Attribute length from end of header
20	2	2N+0x18	Offset to start of Attribute stream
22	1		Indexed Flag (00 No 01 Yes)
23	1	00	Padding
24	2N		The Attributes name in Unicode
2N+0x18	L		The Attribute stream

Non-resident Unnamed Attribute Header

Offset	Size	Value (hex)	Description
0	4		Attribute Type (e.g. 10 00 00 00)
4	4		Length (including this header)
8	1	01	00 – resident 01 – non resident
9	1	00	Name length in Unicode
10	2	00	Offset to name
			Flags
12	2	00	01 00 Compressed
12	2	00	00 40 Encrypted
			00 40 Encrypted
			00 80 Sparse
14	2		Attribute ID
16	8		Starting VCN
24	8		Last VCN
32	2	40	Offset to data runs
34	2		Compression Unit Size
36	4	00	Padding
40	8		Allocated size of attribute
48	8		Logical size of attribute
56	8		Initialized data size of stream
64			Data Runs

Non-resident Named Attribute Header

Offset	Size	Value (hex)	Description
0	4		Attribute Type (e.g. 10 00 00 00)
4	4		Length (including this header)
8	1	01	00 – resident 01 – non resident
9	1	N	Name length in Unicode
10	2	40	Offset to name
12	2	00	Flags 01 00 Compressed 00 40 Encrypted 00 80 Sparse
14	2		Attribute ID
16	8		Starting VCN
24	8		Last VCN
32	2	2N+0x40	Offset to data runs
34	2		Compression Unit Size
36	4	00	Padding
40	8		Allocated size of attribute
48	8		Real size of attribute
56	8		Initialized data size of stream
64	2N		Attributes name in Unicode
2N+0x40			Data Runs