Metadata Block ChangesModifying Content .txt FilePermissions ChangeDeleting .txt FileRenaming .txt FileCopying .txt FileCreating .txt FileDeleting .txt File Within Folders

Copy .txt File


Metadata Block Offset

Starting Bytes

helloworld.txt

Copy File

0x0750000

94 01

Identical

11

Identical

11

0x0754000

95 01

 

0E

 

18

0x0758000

96 01

Identical

0F

Identical

0F

0x075C000

97 01

Identical

10

Identical

10

0x07B0000

AC 01

* File Contents - not metadata

0x07C0000

B0 01

No Data

Copied content


The metadata blocks at offsets 0x0750000, 0x0758000 and 0x075C000 are identical to the blocks on the original drive, before any actions were performed on the .txt file. The only offsets identified in the table at the beginning of the section that differed was 0x0754000 and 0x07C0000 where content was copied to.

The first change to the metadata block found at offset 0x0754000, was at 0x075411C. The changes are shown below (top drive is the original, bottom drive after the file was copied). Originally these two bytes (highlighted in red) were set to A0 09, but when the file had been copied this changed to 90 0E. The MACE time changes are highlighted in green and other miscellaneous changes in orange.

Offset(h)   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000754100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 A0 09 00 00  ........................ ... ...

000754120  20 2C 00 00 00 02 00 00 70 35 00 00 04 00 00 00 80 35 00 00 00 00 00 00 28 04 00 00 10 00 04 00  ,......p5......€5......(.......

000754140  08 00 18 00 10 04 00 00 10 00 00 00 00 00 00 00 A8 00 00 00 28 00 01 00 01 00 00 00 10 01 00 00  ................¨...(...........

000754160  10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EA 72 29 55 33 24 D0 01  ........................êr)U3$Ð.

000754180  E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 10 00 00 00 00 00 00 00  à?ä.|+Ð.à?ä.|+Ð.à?ä.|+Ð.........

0007541A0  00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 74 C5 C1 01 00 00 00 00 00 00 00 00 00 00 00  ................¬tåá............

 

Drive after .doc copied

000754100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 90 0E 00 00  ........................ .......

000754120  88 27 00 00 00 02 00 00 68 35 00 00 06 00 00 00 80 35 00 00 00 00 00 00 28 04 00 00 10 00 04 00  ˆ'......h5......€5......(.......

000754140  08 00 18 00 10 04 00 00 10 00 00 00 00 00 00 00 A8 00 00 00 28 00 01 00 01 00 00 00 10 01 00 00  ................¨...(...........

000754160  10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EA 72 29 55 33 24 D0 01  ........................êr)U3$Ð.

000754180  E0 5C 09 E0 80 2B D0 01 E0 5C 09 E0 80 2B D0 01 E0 5C 09 E0 80 2B D0 01 10 00 00 00 00 00 00 00  à\.à€+Ð.à\.à€+Ð.à\.à€+Ð.........

0007541A0  00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 74 C5 C1 01 00 00 00 00 00 00 00 00 00 00 00  ................¬tåá............

 

After this, a little further down, the Modified, Accessed and Entry Modified times associated with the Recycle Bin have changed.

Shown below is the block where "helloworld-Copy.txt" (highlighted in blue) can be seen, followed by an entry for "sayitagain.txt" (highlighted in red) which was what the file was renamed to. Further down there is another entry for "sayitagain.txt" (highlighted in orange). This appears to be on its own with no MACE times associated with it.

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000754AC0  04 00 28 00 38 00 00 00 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 03 00 00 00 00 00 00 00  ..(.8... ..€....................

000754AE0  00 00 00 00 00 00 00 00 0C 00 2A 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ..........*.h.e.l.l.o.w.o.r.l.d.

000754B00  20 00 2D 00 20 00 43 00 6F 00 70 00 79 00 2E 00 74 00 78 00 74 00 BA 02 40 04 00 00 10 00 20 00   .-. .C.o.p.y...t.x.t.@..... .

000754B20  00 00 30 00 10 04 00 00 30 00 01 00 73 00 61 00 79 00 69 00 74 00 61 00 67 00 61 00 69 00 6E 00  ..0.....0...s.a.y.i.t.a.g.a.i.n.

000754B40  2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00  ..t.x.t...(...................

000754B60  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EA 0A 57 DD 80 2B D0 01 E0 3F C4 2E 7C 2B D0 01  ................ê.WÝ€+Ð.à?ä.|+Ð.

000754B80  E0 5C 09 E0 80 2B D0 01 EA 0A 57 DD 80 2B D0 01 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00  à\.à€+Ð.ê.WÝ€+Ð. ...............

000754BA0  03 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 0A 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ........+Oúû....................

~~~~~~~~~  ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

000754F40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 00 10 00 18 00  ........................P.......

000754F60  00 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 03 00 00 00 00 00 00 00  ..(.(... ..€....................

000754F80  00 00 00 00 00 00 00 00 0C 00 1C 00 73 00 61 00 79 00 69 00 74 00 61 00 67 00 61 00 69 00 6E 00  ............s.a.y.i.t.a.g.a.i.n.

000754FA0  2E 00 74 00 78 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ..t.x.t.........................

 

Where the tilde sign (~) above has replaced hexadecimal data, the file pointer and the file size of the copied file could be seen. The file pointer is set to B0 01 which points to offset 0x07C0000. This is where the content has been copied to. It is the same offset that the copied content was placed in on the .doc drive too. The original file contents remains at offset 0x07B0000, like all other drives.