Metadata Block ChangesModifying Content .txt FilePermissions ChangeDeleting .txt FileRenaming .txt FileCopying .txt FileCreating .txt FileDeleting .txt File Within Folders

Permissions Change

The first two blocks of metadata on this drive are largely the same as the drive where the file has had the content change. The first block is identical across all the drives, but the second one only has minor changes. The eighth byte is different from the original drive, but the same as the modified content drive. The only differences between the modified content drive and the one with permissions changed are the Modified, Accessed and Entry Modified times.

Offset 0x0758000 holds the block that is identical to the previous one on the drive with the permissions change. Unlike when the file contents have been modified, there are no changes in file size, or previous file size bytes in this block, as the file size hasn't changed at all. Also the only difference between this block and the one at the same offset on the original drive is MACE times. The next metadata block (offset 0x075C000) is exactly the same as this one too (with the exception of the first byte).

At offset 0x07C0000 is where this drive with the permissions change is different from all the others. All the other drives have a common eighth byte and have different Modified, Accessed and Entry Modified times. The five bytes below the MACE times is also different too. This five bytes is the only difference between the previous block and this one when the permissions have been changed. This means that when the permissions of the file have been changed offsets 0x0754008, 0x0758008 and 0x075C008 are all the same, except for the five bytes at the end of the block and the very first byte.

The changes are shown below. The top block is the common one and the bottom block is the extra entry at offset 0x07C0000 on the drive with the permissions change. The five bytes that have changed are highlighted in red and the MACE times that have changed are in green.

Offset(h)   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

00075C560  78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02 00 24 00 52 00 45 00 43 00 59 00 43 00  x.........0.H...0...$.R.E.C.Y.C.

00075C580  4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00  L.E...B.I.N.....................

00075C5A0  85 13 AD F9 7B 2B D0 01 85 13 AD F9 7B 2B D0 01 F4 67 AF F9 7B 2B D0 01 85 13 AD F9 7B 2B D0 01  …..ù{+Ð.…..ù{+Ð.Ôg¯ù{+Ð.…..ù{+Ð.

00075C5C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 10 00 00 00 00 50 00 00 00 10 00 18 00  ........................P.......

00075C5E0  04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ..(.(... ..€....................

00075C600  00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ............h.e.l.l.o.w.o.r.l.d.

00075C620  2E 00 74 00 78 00 74 00 50 00 00 00 10 00 18 00 00 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00  ..t.x.t.P.........(.(... ..€....

00075C640  00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00  ............................h.e.

00075C660  6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 74 00 78 00 74 00 40 04 00 00 10 00 20 00  l.l.o.w.o.r.l.d...t.x.t.@..... .

00075C680  08 00 30 00 10 04 00 00 30 00 01 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ..0.....0...h.e.l.l.o.w.o.r.l.d.

00075C6A0  2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00  ..t.x.t.¨...(...................

00075C6C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01  ................à?ä.|+Ð.à?ä.|+Ð.

00075C6E0  E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00  à?ä.|+Ð.à?ä.|+Ð. ...............

00075C700  02 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 0A 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ........+Oúû....................

 

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

0007C0560  78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02 00 24 00 52 00 45 00 43 00 59 00 43 00  x.........0.H...0...$.R.E.C.Y.C.

0007C0580  4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00  L.E...B.I.N.....................

0007C05A0  85 13 AD F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01  …..ù{+Ð.5Ž±ù{+Ð.5Ž±ù{+Ð.5Ž±ù{+Ð.

0007C05C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 10 00 00 00 00 50 00 00 00 10 00 18 00   ........................P.......

0007C05E0  04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ..(.(... ..€....................

0007C0600  00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ............h.e.l.l.o.w.o.r.l.d.

0007C0620  2E 00 74 00 78 00 74 00 50 00 00 00 10 00 18 00 00 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00  ..t.x.t.P.........(.(... ..€....

0007C0640  00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00  ............................h.e.

0007C0660  6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 74 00 78 00 74 00 40 04 00 00 10 00 20 00  l.l.o.w.o.r.l.d...t.x.t.@..... .

0007C0680  08 00 30 00 10 04 00 00 30 00 01 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ..0.....0...h.e.l.l.o.w.o.r.l.d.

0007C06A0  2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00  ..t.x.t.¨...(...................

0007C06C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01  ................à?ä.|+Ð.à?ä.|+Ð.

0007C06E0  ED CC EC 06 84 2B D0 01 E0 3F C4 2E 7C 2B D0 01 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00  íÌì.„+Ð.à.|+Ð. ...............

0007C0700  02 00 00 00 00 00 00 00 8E EB 21 E1 01 00 00 00 0A 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ........ŽË!á....................

 

These five bytes also changed when the permissions were changed on the drive with the .doc file. This suggests that these bytes may signify permissions in some way.

As expected, like on the original drive, the file contents is found at offset 0x07B0000.