Metadata Block ChangesModifying Content .txt FilePermissions ChangeDeleting .txt FileRenaming .txt FileCopying .txt FileCreating .txt FileDeleting .txt File Within Folders

.txt File Metadata Block Changes

The table below identifies both the changes which occur to the metadata blocks in the file system and the changes to the eighth bytes of said blocks. Again each of the blocks is at the same position as they were when folders were added to the system and also the same as when the .doc file was added to the file system.

The top row of the table shows that all the blocks were identical, including MACE times, whereas the second row each test drive's metadata changes. This is the opposite of the .doc file, as at offset 0x0750000 everything was different and at 0x0758000 everything was the same, which suggests the way the file systems deals with/creates these files is slightly different.

Similar to when the .doc file was created, the file contents begin at offset 0x07B0000 and 0x07C0000 isn't utilised by the majority of drives, but is used to move content or a deleted file reference to. Something which didn't happen on the .doc drive was that when the permissions were changed on the .txt file, this offset was used.

Metadata Block Offset

Starting Bytes

helloworld.txt

Content Changed

Permissions Changed

File Deleted

Shift & Delete

Rename

Copy File

0x0750000

94 01

Identical

11

Identical

11

Identical

11

Identical

11

Identical

11

Identical

11

Identical

11

0x0754000

95 01

 

0E

 

18

 

18

 

18

 

18

 

18

 

18

0x0758000

96 01

Identical

0F

 

18

 

18

Identical

0F

Identical

0F

 

18

Identical

0F

0x075C000

97 01

Identical

10

Identical

10

 

18

Identical

10

Identical

10

Identical

10

Identical

10

0x07B0000

AC 01

* File Contents - not metadata

0x07C0000

B0 01

No Data

No Data

Metadata

19

File reference

No Data

No Data

Copied content

 

Again, like with the .doc file, the file system after the file permissions have been changed has more differences to the other drives. At offset 0x075C000 the drive with the permissions changed is the only one that is different and then also at the offset where copied data is placed, the test drive for a permission change has a metadata block in use.

Exactly like the drive with the .doc file on it, the desktop.ini file contents ([.ShellClassInfo.]) was found at offset 0x07A0000 with the file contents being found at offset 0x07B0000 (shown below).

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

0007B0000  68 65 6C 6C 6F 77 6F 72 6C 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  helloworld......................