Something else which stood out was the automatic addition of a "desktop.ini" file when content was added to the drive.
The experiments performed here suggest the file is created when content (a file/folder) is added to the drive. The file was not found on the clean drive, it was only found after content had been added (the directory was never listed during the experiments). The "desktop.ini" file is a file that basically describes the directory it is in. It is used like a configuration file, storing the details of how the user personalised the directory (e.g. thumbnails used).
The block below was found at offset 0x0790560, with an identical one being found at offset 0x0794560, in a new metadata block. This file was added in every test disk, but only appeared in two different metadata blocks on the drive with a folder added and the one with the .exe file added. The addition of a "desktop.ini" file (highlighted aqua) was also found on the NTFS drive tested.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
000790560 50 00 00 00 10 00 18 00 00 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 02 07 00 00 00 00 00 00 P.........(.(... ..€............
000790580 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 16 00 64 00 65 00 73 00 6B 00 74 00 6F 00 ....................d.e.s.k.t.o.
0007905A0 70 00 2E 00 69 00 6E 00 69 00 00 00 00 00 01 00 40 04 00 00 10 00 1A 00 08 00 30 00 10 04 00 00 p...i.n.i.......@.........0.....
0007905C0 30 00 01 00 64 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00 00 00 00 00 00 00 0...d.e.s.k.t.o.p...i.n.i.......
0007905E0 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ¨...(...........................
000790600 00 00 00 00 00 00 00 00 63 85 0C BA 69 41 D0 01 E9 E7 0E BA 69 41 D0 01 E9 E7 0E BA 69 41 D0 01 ........c….°iAƉ.µç.°iAƉ.µç.°iAƉ.
000790620 63 85 0C BA 69 41 D0 01 26 00 00 00 00 00 00 00 02 07 00 00 00 00 00 00 01 00 00 00 00 00 00 00 c….°iAƉ.&.......................
000790640 72 DC 3C B5 01 00 00 00 81 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 rÜ<µ............................
000790660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................................
000790680 00 00 00 00 00 00 00 00 20 00 00 00 A0 01 00 00 D4 00 00 00 00 02 00 00 74 02 00 00 01 00 00 00 ........ ... ...Ô.......t.......
0007906A0 78 02 00 00 00 00 00 00 80 01 00 00 10 00 0E 00 08 00 20 00 60 01 00 00 60 01 00 00 00 00 00 00 x.......€......... .`...`.......
0007906C0 80 00 00 00 00 00 00 00 88 00 00 00 28 00 01 00 01 00 00 00 20 01 00 00 20 01 00 00 02 00 00 00 €.......ˆ...(....... ... .......
0007906E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 ................................
000790700 00 00 00 00 81 00 00 00 00 00 00 00 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
000790720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
000790740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 50 00 00 00 84 00 00 00 00 02 00 00 ................ ...P...„.......
000790760 D4 00 00 00 01 00 00 00 D8 00 00 00 00 00 00 00 30 00 00 00 10 00 10 00 00 00 10 00 20 00 00 00 Ô.......ø.......0........... ...
000790780 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 A8 01 00 00 00 00 00 00 00 00 00 08 00 00 00 00 ................¨...............
|
Metadata Block Offset |
Starting Bytes |
hellofolder |
helloworld.doc |
helloworld.exe |
helloworld.txt |
|
0x0790000 |
A4 01 |
✔ |
✔ |
✔ |
✔ |
|
0x0794000 |
A5 01 |
✔ |
|
✔ |
|
The table above shows at which metadata blocks the desktop.ini file appears on the respective drives.
As the desktop.ini file is just a file like any other, it has a file size (orange), a pointer to the contents (red) and MACE times (green). The pointer is A8 01, which means it points to offset 7A0000.
The contents found at this offset are shown below. The number of bytes in use below is 129 (81 in hex). 81 is the file size highlighted in the desktop.ini file above, thus confirming the file size.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
0007A0000 5B 2E 53 68 65 6C 6C 43 6C 61 73 73 49 6E 66 6F 5D 0D 0A 43 4C 53 49 44 3D 7B 36 34 35 46 46 30 [.ShellClassInfo]..CLSID={645FF0
0007A0020 34 30 2D 35 30 38 31 2D 31 30 31 42 2D 39 46 30 38 2D 30 30 41 41 30 30 32 46 39 35 34 45 7D 0D 40-5081-101B-9F08-00AA002F954E}.
0007A0040 0A 4C 6F 63 61 6C 69 7A 65 64 52 65 73 6F 75 72 63 65 4E 61 6D 65 3D 40 25 53 79 73 74 65 6D 52 .LocalizedResourceName=@%SystemR
0007A0060 6F 6F 74 25 5C 73 79 73 74 65 6D 33 32 5C 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 38 39 36 34 0D oot%\system32\shell32.dll,-8964.
0007A0080 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
This exact content is also found on the NTFS and FAT32 drive. The reason this file content is currently the same across all drives is because no folder personalisation has occurred.
When multiple folders were added to the file system, still only one entry of desktop.ini was found. A reason for this being the case could be that no modifications were made, meaning the default was still in use (and each directory would use this one default). The file content was also unaltered when the file system had multiple folders on the drive.
