Metadata Block ChangesPermissions ChangeFolder DeletionsRenaming FolderCopying FolderAdding ContentCompressing Folder

Adding Content

Multiple files, one at a time, on different test drives, were added in this section to test how the file system would change. The table below contains the relevant information taken from the section introduction earlier. This table shows that the file system seemed to behave differently when dealing with the .txt file compared to the .doc and .exe files.

Metadata Block Offset

Starting Bytes

hellofolder

Eighth Byte

.txt Added to Folder

Eighth Byte

.doc Added to Folder

Eighth Byte

.exe Added to Folder

Eighth Byte

Identical?

0x0750000

94 01

 

0A

hellofolder

16

hellofolder

16

hellofolder

15

 

 

0x0754000

95 01

hellofolder

0D

hellofolder

0D

hellofolder

0D

hellofolder

16

*

0x0758000

96 01

hellofolder

0E

hellofolder

0E

hellofolder

0E

hellofolder

0E

0x075C000

97 01

New folder

0C

New folder

0C

New folder

0C

New folder

0C

0x07B0000

AC 01

New folder

0C

hellofolder

15

hellofolder

15

hellofolder

15

 

0x07B4000

AD 01

hellofolder

0D

hellofolder

0D

hellofolder

0D

hellofolder

0D

0x07B8000

AE 01

 

 

hellofolder

16

hellofolder

15

hellofolder

15

 

 

0x07BC000

AF 01

 

 

 

 

hellofolder

15

hellofolder

15

 

 

0x07C0000

B0 01

 

 

 

 

hellofolder

16

hellofolder

15

 

 

 

 

 

 

 

 

 

 




The metadata block at offset 0x0750000 is the same on the drives with the added .txt and .doc file (when ignoring MACE times) but has one difference on the drive when the .exe file was added. This was the eighth byte. The .exe drive is also similar at offset 0x0754000, whereby the only difference is the byte at offset 0x08, which is set to 16 rather than 0D.

After a file had been added in the file system, they appear in a metadata block at offset 0x07B0000. This block on each of the drives with a file added was identical with the exception of the file extension and the MACE times. The folder name in this metadata block is "hello folder", but on the original drive it was set to "New folder".

.txt File Added

A .txt file was added within the original folder ("hellofolder"). The file was named "secretdocument.txt" with the content "hide this info". This makes the file size 14 bytes with a filename length of 14 bytes too, or 18 if the file extension is included. The filename was found at two different offsets in the file system, in blocks beginning at offsets 0x07B0000 and 0x07B8000. The metadata block at the former offset was identical on all the drives with an added document (ignoring the MACE times) but the latter was different for the .txt file only.

The metadata block was largely the same as the others, but for the .txt file there were three entries of the filename in this one block. The blocks below show this. The file names are highlighted in blue.

.doc drive

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

0007B8560  58 00 00 00 10 00 18 00 04 00 28 00 30 00 00 00 20 00 00 80 00 00 00 00 03 07 00 00 00 00 00 00  X.........(.0... ..€............

0007B8580  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 24 00 73 00 65 00 63 00 72 00 65 00 74 00  ..................$.s.e.c.r.e.t.

0007B85A0  64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 64 00 6F 00 63 00 48 04 00 00 10 00 28 00  d.o.c.u.m.e.n.t...d.o.c.H.....(.

0007B85C0  0C 00 38 00 10 04 00 00 30 00 01 00 73 00 65 00 63 00 72 00 65 00 74 00 64 00 6F 00 63 00 75 00  ..8.....0...s.e.c.r.e.t.d.o.c.u.

0007B85E0  6D 00 65 00 6E 00 74 00 2E 00 64 00 6F 00 63 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00  m.e.n.t...d.o.c...(...........

0007B8600  10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E1 3E 02 85 8E 2B D0 01  ........................á>.…Ž+Ð.

0007B8620  E1 3E 02 85 8E 2B D0 01 E1 3E 02 85 8E 2B D0 01 E1 3E 02 85 8E 2B D0 01 20 00 00 00 00 00 00 00  á>.…Ž+Ð.á>.…Ž+Ð.á>.…Ž+Ð. .......

0007B8640  03 07 00 00 00 00 00 00 01 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 00 00 00 00 00 00 00 00  ................+Oúû............

 

.txt drive

0007B8560  58 00 00 00 10 00 18 00 04 00 28 00 30 00 00 00 20 00 00 80 00 00 00 00 03 07 00 00 00 00 00 00  X.........(.0... ..€............

0007B8580  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 24 00 73 00 65 00 63 00 72 00 65 00 74 00  ..................$.s.e.c.r.e.t.

0007B85A0  64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 74 00 78 00 74 00 58 00 00 00 10 00 18 00  d.o.c.u.m.e.n.t...t.x.t.X.......

0007B85C0  00 00 28 00 30 00 00 00 20 00 00 80 00 00 00 00 03 07 00 00 00 00 00 00 02 00 00 00 00 00 00 00  ..(.0... ..€....................

0007B85E0  00 00 00 00 00 00 00 00 0C 00 24 00 73 00 65 00 63 00 72 00 65 00 74 00 64 00 6F 00 63 00 75 00  ..........$.s.e.c.r.e.t.d.o.c.u.

0007B8600  6D 00 65 00 6E 00 74 00 2E 00 74 00 78 00 74 00 48 04 00 00 10 00 28 00 08 00 38 00 10 04 00 00  m.e.n.t...t.x.t.H.....(...8.....

0007B8620  30 00 01 00 73 00 65 00 63 00 72 00 65 00 74 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00  0...s.e.c.r.e.t.d.o.c.u.m.e.n.t.

0007B8640  2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00  ..t.x.t...(...................

0007B8660  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 F6 4E 0B 8E 2B D0 01 80 F6 4E 0B 8E 2B D0 01  ................€öN.Ž+Ð.€öN.Ž+Ð.

0007B8680  80 F6 4E 0B 8E 2B D0 01 80 F6 4E 0B 8E 2B D0 01 20 00 00 00 00 00 00 00 03 07 00 00 00 00 00 00  €öN.Ž+Ð.€öN.Ž+Ð. ...............

0007B86A0  02 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 0E 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ........+Oúû....................

0007B86C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

0007B86E0  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 A0 01 00 00 D4 00 00 00 00 02 00 00  ................ ... ...Ô.......

0007B8700  74 02 00 00 01 00 00 00 78 02 00 00 00 00 00 00 80 01 00 00 10 00 0E 00 08 00 20 00 60 01 00 00  t.......x.......€......... .`...

0007B8720  60 01 00 00 00 00 00 00 80 00 00 00 00 00 00 00 88 00 00 00 28 00 01 00 01 00 00 00 20 01 00 00  `.......€.......ˆ...(....... ...

0007B8740  20 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ...............................

0007B8760  00 00 00 00 00 00 01 00 00 00 00 00 0E 00 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 00 00 00 00  ................................

0007B8780  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

0007B87A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 50 00 00 00  ........................ ...P...

0007B87C0  84 00 00 00 00 02 00 00 D4 00 00 00 01 00 00 00 D8 00 00 00 00 00 00 00 30 00 00 00 10 00 10 00  „.......Ô.......Ø.......0.......

0007B87E0  00 00 10 00 20 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 01 00 00 00 00 00 00  .... ...................°.......

 

Further down in this metadata block on the drive with the .txt file, the file pointer and the file size were found. The pointer is highlighted in red and the file size is highlighted in purple. The content of the file is "hide this info", which is 14 bytes in decimal and 0E when converted into hexadecimal. The file pointer B0 01 converts to 7C0000. The file content is shown below.

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

0007C0000  68 69 64 65 20 74 68 69 73 20 69 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  hide this info..................

 

Upon further investigation it can be seen that the drives with the .doc and .exe files added have this same metadata block at offset 0x07C0000 and it was just on the drive with the .txt file that it appeared two metadata blocks later.

.exe File Added

This experiment was performed by adding an .exe file into the original folder ("hellofolder"). The file was named "secretdocument.exe", with no content in the file. The filename was found in metadata blocks at offsets 0x07B0000, 0x07B8000, 0x07BC000 and 0x07C0000. The final one was the same format as the one at 0x07B8000 on the drive with the .txt file.

Both the first metadata block where the filename was found and the one at offset 0x07B4000 was common across all the drives with a file added. The only differences between the three were the MACE times and the file extension.

The final three offsets identified with the filename did not have anything any content on the original drive. The metadata blocks at 0x07B8000 and 0x07BC000 were very similar to the same offsets on the drive with the .exe.

The final one, at offset 0x07C0000 was one of particular interest. The .exe file didn't have any contents, so it was interesting to see if there was still a pointer which would be pointing to an address with no contents. This was not the case. There was no pointer and no byte could be identified as the file size (because the file size was 0, the byte would be 00, thus not recognisable).

.doc File Added

A .doc file was also added to the original drive within the "hellofolder" folder. The file was named "secretdocument.doc" and also had the content "hide this info". This was exactly like the .txt file, just a different file type. The filename was found four times in the file system, in blocks beginning at offsets 0x07B0000, 0x07B8000, 0x07BC000 and 0x07C0000. Each of the metadata blocks at these offsets were similar to the drives with a .txt and .exe file added.

The final metadata block was different though. In this one, at offset 0x07C0000, like the one at the same position on the drive with the .txt section, the filename length and the file pointer could be identified. The filename length was the same again, but the file pointer was different, this time being set to B4 01, which pointed at 0x07D0000. The contents was identical to that of the .txt file, it was just in a different position to that on the .txt drive.