|
Metadata Block Offset |
Starting Bytes |
hellofolder |
Eighth Byte |
Copy Folder |
Eighth Byte |
Identical? |
|
0x0750000 |
94 01 |
|
0A |
hellofolder |
15 |
|
|
0x0754000 |
95 01 |
hellofolder |
0D |
hellofolder |
15 |
|
|
0x0758000 |
96 01 |
hellofolder |
0E |
hellofolder |
0E |
✔ |
|
0x075C000 |
97 01 |
New folder |
0C |
New folder |
0C |
✔ |
|
0x07B0000 |
AC 01 |
New folder |
0C |
hellofolder |
15 |
|
|
0x07B4000 |
AD 01 |
hellofolder |
0D |
hellofolder |
0D |
✔ |
|
0x07C0000 |
B0 01 |
|
|
repeatthatplease |
15 |
|
The next experiment was copying the folder. The copied folder
was named "repeatthatplease"
and was copied to the same directory the original resided in.
The table above shows the differences between the metadata
blocks in the original file system and the metadata blocks after the folder had
been copied. Only three of the blocks stayed the same after the folder was
copied and in every block that changed the eighth byte was set to 15.
At offset 0x0750000 an entry for "hellofolder" was created and was placed
underneath the entry for Recycle Bin. It changed in exactly the same way as
when the folder was renamed; there are very few differences between these two
blocks.
The differences between the metadata entries at 0x0754000
are shown in the table below. The table does not include the addition of the
new folder name or the modifications of the MACE times, all of which were
changed except for the Created time.
|
Offset |
Without Copy |
After Copying |
|
0x0754008 |
0D |
15 |
|
0x0754050 |
03 |
04 |
|
0x075411C |
38 |
B8 |
|
0x0754120 |
3C 30 |
B8 2F |
|
0x0754128 |
74 |
70 |
|
0x075412C |
03 |
04 |
In the hexadecimal below
the entry for the new folder can be seen. Highlighted in orange is all the data
that remained the same after the folder name change. Underneath that is where
the new folder name appears (blue) and the MACE times of that (green).
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000754560 78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02
00 24 00 52 00 45 00 43 00 59 00 43 00 x.........0.H...0...$.R.E.C.Y.C.
000754580 4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00
00 00 00 00 00 00 00 00 00 00 00 00 00 L.E...B.I.N.....................
0007545A0 86 98 ED 46 7D 2B D0 01 6D 36 F0 46 7D 2B D0 01 6D 36 F0
46 7D 2B D0 01 6D 36 F0 46 7D 2B D0 01 †˜íF}+Ð.m6ÐF}+Ð.m6ÐF}+Ð.m6ÐF}+Ð.
0007545C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00
10 00 00 00 00 78 00 00 00 10 00 1A 00 ........................x.......
0007545E0 00 00 30 00 48 00 00 00 30 00 02 00 68 00 65 00 6C 00 6C
00 6F 00 66 00 6F 00 6C 00 64 00 65 00 ..0.H...0...h.e.l.l.o.f.o.l.d.e.
000754600 72 00 00 00 00 00 00 00 03 07 00 00 00 00 00 00 00 00 00
00 00 00 00 00 10 CB 15 9F 7D 2B D0 01 r........................Ë.Ÿ}+Ð.
000754620 10 CB 15 9F 7D 2B D0 01 10 CB 15 9F 7D 2B D0 01 10 CB
15 9F 7D 2B D0 01 00 00 00 00 00 00 00 00 .Ë.Ÿ}+Ð..Ë.Ÿ}+Ð..Ë.Ÿ}+Ð.........
000754640 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 80 00 00
00 10 00 24 00 00 00 38 00 48 00 00 00 ................€.....$...8.H...
000754660 30 00 02 00 72 00 65 00 70 00 65 00 61 00 74 00 74 00 68
00 61 00 74 00 70 00 6C 00 65 00 61 00 0...r.e.p.e.a.t.t.h.a.t.p.l.e.a.
000754680 73 00 65 00 00 00 00 00 04 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B0 3A A1 69 91 2B D0 01 s.e.....................°:¡i‘+Ð.
0007546A0 10 CB 15 9F 7D 2B D0 01 B0 3A A1 69 91 2B D0 01 B0 3A A1
69 91 2B D0 01 00 00 00
00 00 00 00 00 .Ë.Ÿ}+Ð.°:¡i‘+Ð.°:¡i‘+Ð.........
Originally at offset 0x07B0000 was an entry for "New folder" which wasn't the folder in use
by the file system; the folder name in use was "hellofolder". Renaming the folder
caused the metadata block to replace the original entry with "hellofolder".
Other than the folder name change, there are only five bytes
that change. One of these bytes (at offset 0x07B034C) is the length of the
folder name; 0A (decimal 10) being replaced with 0B (11). These numbers match
up to the respective length of "New
folder" and "hellofolder".
The final offset identified is the one at 0x07C0000.
Previously there was no data at this offset, but with the folder name being
changed a new entry has been created. The block is very similar to the one at
offset 0x07B4000 which contains just an entry for "hellofolder". There are no
differences between the blocks here that stand out, such as the folder name
length and a pointer.
