The table below identifies both the changes which occur to
the metadata blocks in the file system and the changes to the eighth bytes of
said blocks. Again each of the blocks is at the same position as they were when
folders were added to the system and also the same as when the .doc file was
added to the file system.
The top row of the table shows that all the blocks were
identical, including MACE times, whereas the second row each test drive's
metadata changes. This is the opposite of the .doc file, as at offset 0x0750000
everything was different and at 0x0758000 everything was the same, which
suggests the way the file systems deals with/creates these files is slightly
different.
Similar to when the .doc file was created, the file contents
begin at offset 0x07B0000 and 0x07C0000 isn't utilised by the majority of
drives, but is used to move content or a deleted file reference to. Something
which didn't happen on the .doc drive was that when the permissions were
changed on the .txt file, this offset was used.
Metadata
Block Offset |
Starting
Bytes |
helloworld.txt |
Content
Changed |
Permissions
Changed |
File
Deleted |
Shift
& Delete |
Rename |
Copy
File |
|||||||
0x0750000 |
94
01 |
Identical |
11 |
Identical |
11 |
Identical |
11 |
Identical |
11 |
Identical |
11 |
Identical |
11 |
Identical |
11 |
0x0754000 |
95
01 |
|
0E |
|
18 |
|
18 |
|
18 |
|
18 |
|
18 |
|
18 |
0x0758000 |
96
01 |
Identical |
0F |
|
18 |
|
18 |
Identical |
0F |
Identical |
0F |
|
18 |
Identical |
0F |
0x075C000 |
97
01 |
Identical |
10 |
Identical |
10 |
|
18 |
Identical |
10 |
Identical |
10 |
Identical |
10 |
Identical |
10 |
0x07B0000 |
AC
01 |
* File Contents - not metadata |
|||||||||||||
0x07C0000 |
B0
01 |
No Data |
No Data |
Metadata |
19 |
File reference |
No Data |
No Data |
Copied content |
Again, like with the .doc file, the file system after the
file permissions have been changed has more differences to the other drives. At
offset 0x075C000 the drive with the permissions changed is the only one that is
different and then also at the offset where copied data is placed, the test
drive for a permission change has a metadata block in use.
Exactly like the drive with the .doc file on it, the desktop.ini file contents ([.ShellClassInfo.]) was found at offset 0x07A0000 with the file
contents being found at offset 0x07B0000 (shown below).
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
0007B0000 68 65 6C 6C 6F 77 6F 72 6C 64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 helloworld......................