Working with a File's Non-Resident DATA Field in the MFT

The student should have a lab PC with Windows 2000 or higher running on a single NTFS partitioned C: drive on an HDD being handled as a "Basic Disk" then proceed with the following procedures.

Procedures

Boot to New Boot A or the student CD-ROM and run NTFSDOS. This utility is a low level DOS driver that can interpret NTFS partitions and assign them a commandline accessible drive letter. The driver should indicate that Partition #1 of Drive 0x80 has been given letter D. Change to the D: Drive and find the file "msoe.txt":

Q:\BOOTNAV>D:
D:>dir msoe.txt /s

 Volume in drive D is            

Directory of D:\Program Files\Outlook Express

MSOE     TXT        20,739  12-07-99  8:00p msoe.txt
         1 file(s)         20,739 bytes

Total files listed:
         1 file(s)         20,739 bytes
         0 dir(s)          37,096 bytes free
D:>

Change directory to the location where the file was found and then display it on screen using the MORE filter:
```
D:>cd "Program Files\Outlook Express"

D:\Program Files\Outlook Express>type msoe.txt | more
```
Note the beginning information presented here for comparison with the raw data that will be recovered later. Cancel the MORE filter with [Ctrl]+[C] and change back to the K: drive. Launch Norton DiskEdit.
In Norton DiskEdit, write enable is not necessary. Open the object menu with [Alt]+[O] then open the "Drive" option. [Tab] once to the Disk Type selection pane and down arrow to the "Physical Disks" option and press the spacebar to select it. Physical Hard Disk 1 should be highlighted in the Drives selection pane automatically, so press [Enter].
A hex view of the contents of the first physical sector of the hard drive are currently on screen. Page Down to the sector at Cyl=0, Side=1, Sector=1 in order to view the NTFS VBR on screen. Note: the proper procedure is to inspect the partition tables in the master boot record in order to locate the first sector of the active NTFS type partition, this exercise is covered in the Locate and Display the NTFS VBR module.

With the NTFS VBR on screen, note the cluster size field at offset 0Dh on the first row:

Physical Sector: Cyl 0, Side 1, Sector 1
00000000: EB 52 90 4E 54 46 53 20 - 20 20 20 00 02 04 00 00

The location of the VBR is now established as the sector at Cyl=0, Head (Side)=1, Sector=1 or LBA Sector #63. This sector is the first sector of Data Cluster #0. The size of the data clusters has also been established as 4 sectors/cluster. This information will be needed in order to find the data clusters of any and every file in this partition.

Now open the Tools menu and select the "Find" choice. In the ASCII box enter the complete filename as "msoe.txt" including the period and all lower case. The MFT entries support holding the full actual filename including the period and lower case letters if they are used which they are in this case (Note: the far right column output of the DIR command above displays the literal MFT entry name):


Enter text to search for:

  ASCII  [msoe.txt.....................................]

   Hex   6D 73 6F 65 2E 74 78 74                        
                                                        
                                                        

      Ignore case

The filenames in the MFT are actually stored as UNICODE characters. The ISO-Latin Unicode Character set #8859-1 is the default for Windows and the ASCII code has been made a subset of it. Since Unicode is 16-bit, each ASCII code must be extended into a 16-bit number in which the most significant 8 bits are zeros. Remebering that Intel processors are little endians, this means that the zero byte must be added behind the ASCII characters to convert them to unicode. [Tab] into the "Hex" box and right arrow once to place the cursor after the first ASCII code, then enter two zeros, then right arrow once and enter the next two zeros and so on until the file name looks like this:


Enter text to search for:

  ASCII  [m s o e . t x t..............................]

   Hex   6D 00 73 00 6F 00 65 00 2E 00 74 00 78 00 74   
                                                        
                                                        

      Ignore case

[Tab] to the Ignore case check box and press the spacebar to uncheck it then press [Enter]. The first "hit" should be the filename within its MFT entry. Scroll up to the top of the sector to verify that it is the file's MFT entry:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

This has the MFT header easily recognized by the first four bytes spelling "FILE" in ASCII. Offset 14h of the MFT entry holds the offset from the start of the entry of the first defined attribute of the file:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

Again this is little endian, so the value is 00 30h. Start at the letter "F" in "FILE" at the top left corner of the sector as offset zero, then down arrow and count "ten" down arrow again and count "twenty" down arrow a third time and count "thirty" This is the start of the first attrbiute within the entry:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

The attribute header is sixteen bytes in size and so covers exactly the row starting with the highlighted byte. The first four bytes are the attribute type "10 00 00 00" is the $STANDARD_INFORMATION attribute. The next four bytes are the size of the attribute in little endian format. In this case the size of the $STANDARD_INFORMATION attribute is "60 00 00 00" or simply 60h bytes. With the cursor positioned on the starting byte of the attribute, down arrow once and count "ten", again and count "twenty", then "thirty", "forty", "fifty", then "sixty":

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

This is the beginning of the next attribute. Again its header is sixteen bytes in size covering the entire row with the first four bytes indicating the attribute type and the next four indicating its size. The size of this attribute is "70 00 00 00" or simply 70h. With the cursor where it is count down to seventy hex:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

This is a type 50h attribute. The size is "B0 00 00 00" or simply B0h. Hex has these extra digits so count to eleven to position the cursor on the start of the next attribute:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

This attribute begins with "80 00 00 00" which is a standard $DATA attribute for the file. This attribute holds the data or the necessary information to locate the clusters that hold the data of the file.

The byte at offset 08h of the attribute (within its standard header) indicates whether the attribute is resident or non-resident. A zero at this location indicates resident, a 01h indicates non-resident. In this case it is a 01h indicating non-resident:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

Because this is a non-resident $DATA attrbiute for the file, the size and meaning of the fields that follow this header change. For non-resident $DATA attributes in particular the fields mean:

Offset	Size	Field
00h	DWORD	Attribute Type
04h	DWORD	Attribute Size
08h	BYTE	Resident Flag
09h	BYTE	Name Length (many default zero)
0Ah	WORD	Offset to name (zero if no name)
0Ch	WORD	Attribute Flags
0Eh	WORD	Attribute ID#
10h	QWORD	Starting VCN of the runlist
18h	QWORD	Ending VCN of the runlist
20h	WORD	Offset to the runlist
22h	WORD	Compresssion unit size
24h	DWORD	Unused
28h	QWORD	Allocated size of attribute content
30h	QWORD	Actual Size of attribute content
38h	QWORD	Initialized size of attribute content

There is a lot of significant information here. Since the header indicates that it is non-resident which leads to the meanings above, the QWORD following the standard header (eight bytes starting the row beneath it) holds the starting VCN - Virtual Cluster Number, of the file that this $DATA attribute is describing. If this is NOT zero, then this is NOT the first $DATA attribute of the file. And then the first $DATA attribute of the file will then have to be located. In this case the value is zero:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

The next field is the following QWORD (8 bytes) which indicates the ending VCN that this $DATA attribute is describing. In this case it is the number ten. So this $DATA attribute says that it is going to map VCN's zero to ten of the file for a total of eleven VCN's:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

The next two bytes are the WORD that indicates the offset to the runlist (because this is a non-resident $DATA attribute) This value is 40 00 =x=> 0040h. Follow this from the start of the attribute to arrive at the runlist:

Physical Sector: Cyl 1, Side 80, Sector 60
00000000:  46 49 4C 45 2A 00 03 00-00 65 40 01 00 00 00 00   FILE*....e@.....
00000010:  02 00 01 00 30 00 01 00-00 02 00 00 00 04 00 00   ....0...........
00000020:  00 00 00 00 00 00 00 00-06 00 05 00 47 11 00 00   ............G...
00000030:  10 00 00 00 60 00 00 00-00 00 00 00 00 00 00 00   ....`...........
00000040:  48 00 00 00 18 00 00 00-60 50 84 C8 AB AF C3 01   H.......`P......
00000050:  00 A0 71 A4 ED 40 BF 01-60 F7 5F 73 AC AF C3 01   ..q..@..`._s....
00000060:  90 D7 85 C8 AB AF C3 01-20 00 00 00 00 00 00 00   ........ .......
00000070:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000080:  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
00000090:  30 00 00 00 70 00 00 00-00 00 00 00 00 00 05 00   0...p...........
000000A0:  52 00 00 00 18 00 01 00-6C 19 00 00 00 00 01 00   R.......l.......
000000B0:  60 50 84 C8 AB AF C3 01-00 A0 71 A4 ED 40 BF 01   `P........q..@..
000000C0:  90 D7 85 C8 AB AF C3 01-90 D7 85 C8 AB AF C3 01   ................
000000D0:  00 58 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .X.......Q......
000000E0:  20 00 00 00 00 00 00 00-08 03 6D 00 73 00 6F 00    .........m.s.o.
000000F0:  65 00 2E 00 74 00 78 00-74 00 1F 00 01 02 00 00   e...t.x.t.......
00000100:  50 00 00 00 B0 00 00 00-00 00 00 00 00 00 03 00   P...............
00000110:  94 00 00 00 18 00 00 00-01 00 04 94 78 00 00 00   ............x...
00000120:  88 00 00 00 00 00 00 00-14 00 00 00 02 00 64 00   ..............d.
00000130:  04 00 00 00 00 00 18 00-A9 00 12 00 01 02 00 00   ................
00000140:  00 00 00 05 20 00 00 00-21 02 00 00 00 00 18 00   .... ...!.......
00000150:  A9 00 12 00 01 02 00 00-00 00 00 05 20 00 00 00   ............ ...
00000160:  23 02 00 00 00 00 18 00-FF 01 1F 00 01 02 00 00   #...............
00000170:  00 00 00 05 20 00 00 00-20 02 00 00 00 00 14 00   .... ... .......
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

            ^
            |
     Start of runlist

The runlist will describe the clusters that hold the data of the file. The first byte is the field size descriptor of the first run of clusters that hold the file data. It must be broken into the top nibble (4 bits) and the bottom nibble. The Byte itself presented here in Hexadecimal is "31" and the bottom nibble is the bottom hex digit, in this case, the one. This means that the size field of this run is one byte in length and it is the next byte after it. The byte that follows this byte holds the value 0Bh:

00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

            ^
            |
     Size of Size field = 1 Byte, the following byte

This means that this run, or consecutive series of clusters is eleven clusters in length. Remember that the starting VCN was zero, and the ending VCN was ten for a total of eleven clusters of the file. This means that this should be the only run in the runlist. This will bear out momentarily. Furthermore the allocated and actual sizes of the data should be observed. The field at offset 28h of this attribute holds how much hard drive space has been lost to use by the file. This value is 5800h =d=> 22528 bytes. Noting that each cluster is 4 sectors or 2048 bytes and this $DATA attribute consists of eleven clusters: 2048 x 11 = 22528 which concurs. The field at offset 30h of this attribute holds the actual size of the data. In this case this value is 5103h =d=> 20739 bytes. Which was seen from the DOS prompt to be the size of the file. It appears that the file's size is calculated from the $DATA fields totals since the file size is not stored in the $STANDARD_INFORMATION attribute. It is found in the $FILENAME attribute, but this may not be reliable. The allocated and actual data size fields of the non-resident $DATA attribute:
```
00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..
```

The top nibble of the runlist descriptor byte is the three. This indicates that the start cluster number of the run will occupy the next three bytes after the size field. These are highlighted below:

00000180:  FF 01 1F 00 01 01 00 00-00 00 00 05 12 00 00 00   ................
00000190:  01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00   ........ ... ...
000001A0:  01 01 00 00 00 00 00 05-12 00 00 00 20 00 00 00   ............ ...
000001B0:  80 00 00 00 48 00 00 00-01 00 00 00 00 00 04 00   ....H...........
000001C0:  00 00 00 00 00 00 00 00-0A 00 00 00 00 00 00 00   ................
000001D0:  40 00 00 00 00 00 00 00-00 58 00 00 00 00 00 00   @........X......
000001E0:  03 51 00 00 00 00 00 00-03 51 00 00 00 00 00 00   .Q.......Q......
000001F0:  31 0B 75 72 07 00 00 00-FF FF FF FF 82 79 05 00   1.ur.........y..

            ^
            |
     Size of Start Cluster Number field = 3 Bytes, the three that follow the size byte

This is the first run in the runlist. It therefore holds the actual cluster number within this partition that holds the data. These bytes regardless of how many there are, are held in little endian style and therefore must be byte reversed: 75 72 07 =x=> 07 72 75. This is the actual cluster number that starts this cluster run. Convert to decimal: 77275h =d=> 488053. The location of the starting sector of this cluster must now be found. Here is the formula for finding it in the NTFS partition:
```
Start Sector LBA Address of Cluster N within NTFS Partition

SS_CN = (CN X CS) + C0_LBA
Where:
SS_CN is the Start Sector's LBA address of Cluster number N

CN is the cluster number in question

CS is the Cluster Size in sectors

C0_LBA is the LBA address of Cluster zero
```
Substituting all information gathered so far into this formula:
```
SS_CN = (488,053 X 4) + 63

1,952,275 = (488,053 X 4) + 63
```
This is the actual LBA address of the sector where this run begins. A run holds at least one cluster and can hold as many as are described in the size field. BY definition, the run clusters are stored back to back. The size field of this run indicates that it starts with this cluster and is eleven clusters in size. Therefore the data starts at the sector at LBA address 1,952,275 and is the 44 sectors in a row starting with this one (11 clusters x 4 sectors/cluster). Converting this number to CHS coordinates yields: Cyl = 242, Head = 12, Sector = 32. (Assumes the HDD geometry of 785 cylinders, 128 heads and 63 sectors/track). Open the Object Menu with [Alt]+[O] and then press [P] to open the physical sector selection window. Enter these values and in the size enter the value 44 and then press [Enter]. Note that Diskedit recognizes the contents of the sectors as ASCII text and presents them in this format on screen. The data has been found.
Finally note that the byte that follows the first cluster run is a zero. This means that there are no more cluster runs described in this list. As well there should not be since the attribute originally claimed to be describing eleven clusters and this first run's size was eleven clusters. The following bytes that end the MFT entry appear to checksum values and are of little concern for now.
The next exercise, will append more data to this file thereby causing it to grow in size requiring more clusters, since this file fell into place during the installation it will have to grow to another location and will fragment. This will cause the file system to select another location for the new data clusters and add at least one additional run to the runlist. This will then be pursued in order to demonstrate how the data can be located on the drive.

Back to Page Top