When the file was renamed, all the of metadata blocks with
the exception for the first one at offset 0x0750000 were identical to the
majority of the other tested drives. The byte which was different was the one
at offset 0x0750008. Like all the ReFS drives that had modifications, this was
set to 16, rather than 0D as the original file was set to.
Where the file name is found is where the majority of
changes were found in the hexadecimal of this file. Below the block before the
file was renamed can be seen and then underneath that is the block after it has
been renamed.
It can be seen that an extra filename entry has been added. MACE
times are highlighted in green and the original file names are highlighted in
blue. The modified/new filename is highlighted in orange.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000750600 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ............h.e.l.l.o.w.o.r.l.d.
000750620 2E 00 64 00 6F 00 63 00 40 04 00 00 10 00 20 00 08 00 30 00 10
04 00 00 30 00 01 00 68 00 65 00 ..d.o.c.@..... ...0.....0...h.e.
000750640 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 64
00 6F 00 63 00 A8 00
00 00 28 00 01 00 l.l.o.w.o.r.l.d...d.o.c.¨...(...
000750660 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
000750680 15 00 0D 6F 7F 2B D0 01 15 00 0D 6F 7F 2B D0
01 15 00 0D 6F 7F 2B D0 01 15 00 0D 6F 7F 2B D0 01 ...o.+Ð....o.+Ð....o.+Ð....o.+Ð.
0007506A0 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 01 00 00
00 00 00 00 00 2B 4F FA FB 01 00 00 00 .......................+Oúû....
000750600 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ............h.e.l.l.o.w.o.r.l.d.
000750620 2E 00 64 00 6F 00 63 00 50 00 00 00 10 00 18 00 04 00 28 00 28
00 00 00 20 00 00 80 00 00 00 00 ..d.o.c.P.........(.(...
......
000750640 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 0C 00 1C 00 68 00 65 00 ............................h.e.
000750660 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 64
00 6F 00 63 00 50 04
00 00 10 00 2A 00 l.l.o.w.o.r.l.d...d.o.c.P.....*.
000750680 00 00 40 00 10 04 00 00 30 00 01 00 66 00 72 00 65 00 65 00 70 00 69 00 7A 00 7A 00 61 00 66 00 ..@.....0...f.r.e.e.p.i.z.z.a.f.
0007506A0 6F 00 72 00 61 00 6C 00 6C 00 2E 00 64 00 6F 00 63 00 00 00 00 00 00 00 A8 00 00 00 28 00 01
00 o.r.a.l.l...d.o.c.......¨...(...
0007506C0 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
0007506E0 24 2F 27 6F 7F 2B D0 01 24 2F 27 6F 7F 2B D0
01 D6 C2 A3 B4 87 2B D0 01 24 2F 27 6F 7F 2B D0 01 $/'o.+Ð.$/'o.+Ð.ö⣴+Ð.$/'o.+Ð.
000750700 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 02 00 00
00 00 00 00 00 2B 4F FA FB 01 00 00 00
.......................+Oúû....
All the other data which came underneath the original "helloworld"
entries appears to have just been pushed down having had the new file name
inserted above.
The new filename is found one more time in the hexadecimal, just
below the content described above. It can be seen in the block below,
highlighted in orange.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000750AC0 00 00 00 00 00 00 00 00 60 00 00 00 10 00 18 00 00 00 28
00 38 00 00 00 20 00 00 80 00 00 00 00 ........`.........(.8... ......
000750AE0 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 0C 00 26 00 66 00 72 00 ..........................&.f.r.
000750B00 65 00 65 00 70 00 69 00 7A 00 7A 00 61 00 66 00 6F 00 72
00 61 00 6C 00 6C 00 2E 00 64 00 6F 00 e.e.p.i.z.z.a.f.o.r.a.l.l...d.o.
000750B20 63 00 4C 01 A0 F8 FF FF 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c.L. Ø........................