Metadata Block ChangesModify .doc ContentPermissions ChangeDeleting .doc FileRenaming .doc FileCopying .doc File

.doc File Rename

When the file was renamed, all the of metadata blocks with the exception for the first one at offset 0x0750000 were identical to the majority of the other tested drives. The byte which was different was the one at offset 0x0750008. Like all the ReFS drives that had modifications, this was set to 16, rather than 0D as the original file was set to.

Where the file name is found is where the majority of changes were found in the hexadecimal of this file. Below the block before the file was renamed can be seen and then underneath that is the block after it has been renamed.

It can be seen that an extra filename entry has been added. MACE times are highlighted in green and the original file names are highlighted in blue. The modified/new filename is highlighted in orange.

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000750600  00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ............h.e.l.l.o.w.o.r.l.d.

000750620  2E 00 64 00 6F 00 63 00 40 04 00 00 10 00 20 00 08 00 30 00 10 04 00 00 30 00 01 00 68 00 65 00  ..d.o.c.@..... ...0.....0...h.e.

000750640  6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 64 00 6F 00 63 00 A8 00 00 00 28 00 01 00  l.l.o.w.o.r.l.d...d.o.c...(...

000750660  00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

000750680  15 00 0D 6F 7F 2B D0 01 15 00 0D 6F 7F 2B D0 01 15 00 0D 6F 7F 2B D0 01 15 00 0D 6F 7F 2B D0 01  ...o.+Ð....o.+Ð....o.+Ð....o.+Ð.

0007506A0  20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 01 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00  .......................+Oúû....

 

 

000750600  00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ............h.e.l.l.o.w.o.r.l.d.

000750620  2E 00 64 00 6F 00 63 00 50 00 00 00 10 00 18 00 04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00  ..d.o.c.P.........(.(... ..€....

000750640  00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00  ............................h.e.

000750660  6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 64 00 6F 00 63 00 50 04 00 00 10 00 2A 00  l.l.o.w.o.r.l.d...d.o.c.P.....*.

000750680  00 00 40 00 10 04 00 00 30 00 01 00 66 00 72 00 65 00 65 00 70 00 69 00 7A 00 7A 00 61 00 66 00  ..@.....0...f.r.e.e.p.i.z.z.a.f.

0007506A0  6F 00 72 00 61 00 6C 00 6C 00 2E 00 64 00 6F 00 63 00 00 00 00 00 00 00 A8 00 00 00 28 00 01 00  o.r.a.l.l...d.o.c.......¨...(...

0007506C0  00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

0007506E0  24 2F 27 6F 7F 2B D0 01 24 2F 27 6F 7F 2B D0 01 D6 C2 A3 B4 87 2B D0 01 24 2F 27 6F 7F 2B D0 01  $/'o.+Ð.$/'o.+Ð.ö⣴‡+Ð.$/'o.+Ð.

000750700  20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00   .......................+Oúû....

 

All the other data which came underneath the original "helloworld" entries appears to have just been pushed down having had the new file name inserted above.

The new filename is found one more time in the hexadecimal, just below the content described above. It can be seen in the block below, highlighted in orange.

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000750AC0  00 00 00 00 00 00 00 00 60 00 00 00 10 00 18 00 00 00 28 00 38 00 00 00 20 00 00 80 00 00 00 00  ........`.........(.8... ..€....

000750AE0  00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 26 00 66 00 72 00  ..........................&.f.r.

000750B00  65 00 65 00 70 00 69 00 7A 00 7A 00 61 00 66 00 6F 00 72 00 61 00 6C 00 6C 00 2E 00 64 00 6F 00  e.e.p.i.z.z.a.f.o.r.a.l.l...d.o.

000750B20  63 00 4C 01 A0 F8 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  c.LØŸŸ........................