Metadata Block ChangesModify .doc ContentPermissions ChangeDeleting .doc FileRenaming .doc FileCopying .doc File

.doc File Copy File

For this experiment, the file was copied, pasted and then renamed. During the analysis, entries for "helloworld.doc", "helloworld-Copy.doc" and "sayitagain.doc" are expected to be found. Like when the file was renamed, the file system metadata blocks with the copied file was largely the same as the other drives, with the exception of the first block and the extra content at offset 0x07C0000.

The first block has a lot of similarities with the first block of other drives. The first instances of the file name are found at offset 0x0750600 and there are three of them. This is compared to the original .doc file, where it only appeared twice. This is very similar to when the file was permanently deleted. There are some differences however, most notably when the file has been copied, the file size still exists, as expected.

Further down in this first metadata block, an entry for the copied file was found (shown below).

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000750AC0  04 00 28 00 38 00 00 00 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 03 00 00 00 00 00 00 00  ..(.8... ..€....................

000750AE0  00 00 00 00 00 00 00 00 0C 00 2A 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ..........*.h.e.l.l.o.w.o.r.l.d.

000750B00  20 00 2D 00 20 00 43 00 6F 00 70 00 79 00 2E 00 64 00 6F 00 63 00 BA 02 40 04 00 00 10 00 20 00   .-. .C.o.p.y...d.o.c.@..... .

000750B20  00 00 30 00 10 04 00 00 30 00 01 00 73 00 61 00 79 00 69 00 74 00 61 00 67 00 61 00 69 00 6E 00  ..0.....0...s.a.y.i.t.a.g.a.i.n.

000750B40  2E 00 64 00 6F 00 63 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00  ..d.o.c...(...................

000750B60  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 5A D0 56 86 2B D0 01 24 2F 27 6F 7F 2B D0 01  ................3ZÐV†+Ð.$/'o.+Ð.

000750B80  75 F2 90 59 86 2B D0 01 33 5A D0 56 86 2B D0 01 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00  uò.Y†+Ð.3ZÐV†+Ð. ...............

000750BA0  03 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 0A 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ........+Oúû....................

000750BC0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

000750BE0  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 A0 01 00 00 D4 00 00 00 00 02 00 00  ................ ... ...Ô.......

000750C00  74 02 00 00 01 00 00 00 78 02 00 00 00 00 00 00 80 01 00 00 10 00 0E 00 08 00 20 00 60 01 00 00  t.......x.......€......... .`...

000750C20  60 01 00 00 00 00 00 00 80 00 00 00 00 00 00 00 88 00 00 00 28 00 01 00 01 00 00 00 20 01 00 00  `.......€.......ˆ...(....... ...

000750C40  20 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ...............................

000750C60  00 00 00 00 00 00 01 00 00 00 00 00 0A 00 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00  ................................

000750C80  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

000750CA0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 50 00 00 00  ........................ ...P...

000750CC0  84 00 00 00 00 02 00 00 D4 00 00 00 01 00 00 00 D8 00 00 00 00 00 00 00 30 00 00 00 10 00 10 00  „.......Ô.......Ø.......0.......

000750CE0  00 00 10 00 20 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 01 00 00 00 00 00 00  .... ...................°.......

 

Highlighted in the block above is the file pointer (in orange), the file size (in red) and the MACE times (in green). The copied filename can be seen "helloworld-Copy.doc" (in blue) and then the renamed filename "sayitagain.doc" (in purple).

A little further down in the metadata block the filename can be found again (shown below).

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000750F60  00 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 03 00 00 00 00 00 00 00  ..(.(... ..€....................

000750F80  00 00 00 00 00 00 00 00 0C 00 1C 00 73 00 61 00 79 00 69 00 74 00 61 00 67 00 61 00 69 00 6E 00  ............s.a.y.i.t.a.g.a.i.n.

000750FA0  2E 00 64 00 6F 00 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ..d.o.c.........................

 

The file pointer, found at offset 0x0750CF8, points to offset 0x07C0000. While there is still content at offset 0x07B0000 (the original file's content), the content found at this offset is identical, reading "helloworld".