Metadata
Block Offset |
Starting
Bytes |
helloworld.txt |
Copy
File |
||
0x0750000 |
94
01 |
Identical |
11 |
Identical |
11 |
0x0754000 |
95
01 |
|
0E |
|
18 |
0x0758000 |
96
01 |
Identical |
0F |
Identical |
0F |
0x075C000 |
97
01 |
Identical |
10 |
Identical |
10 |
0x07B0000 |
AC
01 |
*
File Contents - not metadata |
|||
0x07C0000 |
B0
01 |
No Data |
Copied content |
The metadata blocks at offsets 0x0750000, 0x0758000 and
0x075C000 are identical to the blocks on the original drive, before any actions
were performed on the .txt file. The only offsets identified in the table at
the beginning of the section that differed was 0x0754000 and 0x07C0000 where
content was copied to.
The first change to the metadata block found at offset
0x0754000, was at 0x075411C. The changes are shown below (top drive is the
original, bottom drive after the file was copied). Originally these two bytes
(highlighted in red) were set to A0 09, but when the file had been copied this
changed to 90 0E. The MACE time changes are highlighted in green and other
miscellaneous changes in orange.
Offset(h)
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000754100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 20 00 00 00 A0 09 00 00 ........................ ... ...
000754120 20 2C 00 00 00 02 00 00 70 35 00 00 04 00
00 00 80 35 00 00 00 00 00 00 28 04 00 00 10 00 04 00 ,......p5......5......(.......
000754140 08 00 18 00 10 04 00 00 10 00 00 00 00 00 00 00 A8 00 00
00 28 00 01 00 01 00 00 00 10 01 00 00 ................¨...(...........
000754160 10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 EA 72 29 55 33 24 D0 01 ........................êr)U3$Ð.
000754180 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0
01 E0 3F C4 2E 7C 2B D0 01 10 00 00 00 00 00 00
00 à?ä.|+Ð.à?ä.|+Ð.à?ä.|+Ð.........
0007541A0 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 74 C5
C1 01 00 00 00 00 00 00 00 00 00 00 00 ................¬tåá............
Drive
after .doc copied
000754100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 20 00 00 00 90 0E 00 00 ........................ .......
000754120 88 27 00 00 00 02 00 00 68 35 00 00 06 00
00 00 80 35 00 00 00 00 00 00 28 04 00 00 10 00 04 00 '......h5......5......(.......
000754140 08 00 18 00 10 04 00 00 10 00 00 00 00 00 00 00 A8 00 00
00 28 00 01 00 01 00 00 00 10 01 00 00 ................¨...(...........
000754160 10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 EA 72 29 55 33 24 D0 01 ........................êr)U3$Ð.
000754180 E0 5C 09 E0 80 2B D0 01 E0 5C 09 E0 80 2B D0
01 E0 5C 09 E0 80 2B D0 01 10 00 00 00 00 00 00
00 à\.à+Ð.à\.à+Ð.à\.à+Ð.........
0007541A0 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 74 C5
C1 01 00 00 00 00 00 00 00 00 00 00 00 ................¬tåá............
After this, a little further down, the Modified, Accessed
and Entry Modified times associated with the Recycle Bin have changed.
Shown below is the block where "helloworld-Copy.txt" (highlighted in blue) can be seen, followed by
an entry for "sayitagain.txt" (highlighted
in red) which was what the file was renamed to. Further down there is another
entry for "sayitagain.txt" (highlighted
in orange). This appears to be on its own with no MACE times associated with
it.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000754AC0 04 00 28 00 38 00 00 00 20 00 00 80 00 00 00 00 00 06 00
00 00 00 00 00 03 00 00 00 00 00 00 00 ..(.8... ......................
000754AE0 00 00 00 00 00 00 00 00 0C 00 2A 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ..........*.h.e.l.l.o.w.o.r.l.d.
000754B00 20 00 2D 00 20 00 43 00 6F 00 70 00 79 00 2E 00 74 00 78
00 74 00 BA 02 40 04
00 00 10 00 20 00 .-. .C.o.p.y...t.x.t.º.@..... .
000754B20 00 00 30 00 10 04 00 00 30 00 01 00 73 00 61 00 79 00 69 00 74 00 61 00 67 00 61 00 69 00 6E 00 ..0.....0...s.a.y.i.t.a.g.a.i.n.
000754B40 2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00 00 10
01 00 00 10 01 00 00 02 00 00 00 ..t.x.t.¨...(...................
000754B60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EA 0A 57
DD 80 2B D0 01 E0 3F C4 2E 7C 2B D0 01 ................ê.WÝ+Ð.à?ä.|+Ð.
000754B80 E0 5C 09 E0 80 2B D0 01 EA 0A 57 DD 80 2B D0 01 20 00 00
00 00 00 00 00 00 06 00 00 00 00 00 00 à\.à+Ð.ê.WÝ+Ð. ...............
000754BA0 03 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 0A 00 00
00 00 00 00 00 00 00 01 00 00 00 00 00 ........+Oúû....................
~~~~~~~~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~
~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
000754F40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 50 00 00 00 10 00 18 00 ........................P.......
000754F60 00 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00
00 00 00 00 00 03 00 00 00 00 00 00 00 ..(.(...
......................
000754F80 00 00 00 00 00 00 00 00 0C 00 1C 00 73 00 61 00 79 00 69 00 74 00 61 00 67 00 61 00 69 00 6E 00 ............s.a.y.i.t.a.g.a.i.n.
000754FA0 2E 00 74 00 78 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 ..t.x.t.........................
Where the tilde sign (~) above has replaced hexadecimal
data, the file pointer and the file size of the copied file could be seen. The
file pointer is set to B0 01 which points to offset 0x07C0000. This is where
the content has been copied to. It is the same offset that the copied content
was placed in on the .doc drive too. The original file contents remains at
offset 0x07B0000, like all other drives.