This post will discuss the complex process and understanding of data storage in the New Technology File System ( NTFS ) specifically the $80 attribute's lesser understood structure of it's data runs.
This image is from the book "Guide to Computer Forensics and Investigations", September 28, 2009, by Bill Nelson (Author), Amelia Phillips (Author), Christopher Steuart (Author)
Thus, based on the image above, the data run can be extracted and analyzed for the actual data cluster locations.
If you want to create the same analysis and documentation of the data clusters, here is the actual string of the data runs: 32B1078C8C0022630795ED32BC063C360122350302FA210B6CFE229E01E904
The example above contains 6830 clusters for the file with positive and negative offsets to cluster runs. You can not get any more complex than this one. If you understand this example, you understand how NTFS saves non-resident files. If you are into programming, I would suggest you do this analysis by hand or with a simple application like I did here with Excel before attempting to write a program in a lower level programming language.
Good luck practicing and getting better in understanding technology at a deeper level.
Trying Yet Again. I know this was published in 2014 but I am confused by run 2 as this is, after reversing a negative value [ED95] and should have be subtracted from the previous starting cluster rather than adding? I only question this as I am involved in the forensic analysis of an 'embedded' NFTS structure which requires working through the data using my own code as I can show how I have arrived at my conclusions. Thank you.
ReplyDelete