The first two blocks of metadata on this drive are largely
the same as the drive where the file has had the content change. The first
block is identical across all the drives, but the second one only has minor
changes. The eighth byte is different from the original drive, but the same as
the modified content drive. The only differences between the modified content
drive and the one with permissions changed are the Modified, Accessed and Entry
Modified times.
Offset 0x0758000 holds the block that is identical to the
previous one on the drive with the permissions change. Unlike when the file
contents have been modified, there are no changes in file size, or previous
file size bytes in this block, as the file size hasn't changed at all. Also the
only difference between this block and the one at the same offset on the
original drive is MACE times. The next metadata block (offset 0x075C000) is
exactly the same as this one too (with the exception of the first byte).
At offset 0x07C0000 is where this drive with the permissions
change is different from all the others. All the other drives have a common
eighth byte and have different Modified, Accessed and Entry Modified times. The
five bytes below the MACE times is also different too. This five bytes is the
only difference between the previous block and this one when the permissions
have been changed. This means that when the permissions of the file have been
changed offsets 0x0754008, 0x0758008 and 0x075C008 are all the same, except for
the five bytes at the end of the block and the very first byte.
The changes are shown below. The top block is the common one
and the bottom block is the extra entry at offset 0x07C0000 on the drive with
the permissions change. The five bytes that have changed are highlighted in red
and the MACE times that have changed are in green.
Offset(h)
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
00075C560 78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02
00 24 00 52 00 45 00 43 00 59 00 43 00 x.........0.H...0...$.R.E.C.Y.C.
00075C580 4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00
00 00 00 00 00 00 00 00 00 00 00 00 00 L.E...B.I.N.....................
00075C5A0 85 13 AD F9 7B 2B D0 01 85 13 AD F9 7B 2B D0 01 F4 67 AF
F9 7B 2B D0 01 85 13 AD F9 7B 2B D0 01
..ù{+Ð.
..ù{+Ð.Ôg¯ù{+Ð.
..ù{+Ð.
00075C5C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00
10 00 00 00 00 50 00 00 00 10 00 18 00 ........................P.......
00075C5E0 04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00
00 00 00 00 00 01 00 00 00 00 00 00 00 ..(.(... ......................
00075C600 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C
00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ............h.e.l.l.o.w.o.r.l.d.
00075C620 2E 00 74 00 78 00 74 00 50 00 00 00 10 00 18 00 00 00 28
00 28 00 00 00 20 00 00 80 00 00 00 00 ..t.x.t.P.........(.(...
......
00075C640 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 0C 00 1C 00 68 00 65 00 ............................h.e.
00075C660 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 74
00 78 00 74 00 40 04 00 00 10 00 20 00 l.l.o.w.o.r.l.d...t.x.t.@..... .
00075C680 08 00 30 00 10 04 00 00 30 00 01 00 68 00 65 00 6C 00 6C
00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ..0.....0...h.e.l.l.o.w.o.r.l.d.
00075C6A0 2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00
00 10 01 00 00 10 01 00 00 02 00 00 00 ..t.x.t.¨...(...................
00075C6C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 3F C4
2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 ................à?ä.|+Ð.à?ä.|+Ð.
00075C6E0 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 20 00 00
00 00 00 00 00 00 06 00 00 00 00 00 00 à?ä.|+Ð.à?ä.|+Ð. ...............
00075C700 02 00 00 00 00 00 00 00 2B 4F FA FB 01
00 00 00 0A 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ........+Oúû....................
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
0007C0560 78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02
00 24 00 52 00 45 00 43 00 59 00 43 00 x.........0.H...0...$.R.E.C.Y.C.
0007C0580 4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00
00 00 00 00 00 00 00 00 00 00 00 00 00 L.E...B.I.N.....................
0007C05A0 85 13 AD F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01 35 8E B1
F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01
..ù{+Ð.5±ù{+Ð.5±ù{+Ð.5±ù{+Ð.
0007C05C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00
10 00 00 00 00 50 00 00 00 10 00 18 00 ........................P.......
0007C05E0 04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00
00 00 00 00 00 01 00 00 00 00 00 00 00 ..(.(... ......................
0007C0600 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C
00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ............h.e.l.l.o.w.o.r.l.d.
0007C0620 2E 00 74 00 78 00 74 00 50 00 00 00 10 00 18 00 00 00 28
00 28 00 00 00 20 00 00 80 00 00 00 00 ..t.x.t.P.........(.(...
......
0007C0640 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 0C 00 1C 00 68 00 65 00 ............................h.e.
0007C0660 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 74
00 78 00 74 00 40 04 00 00 10 00 20 00 l.l.o.w.o.r.l.d...t.x.t.@..... .
0007C0680 08 00 30 00 10 04 00 00 30 00 01 00 68 00 65 00 6C 00 6C
00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ..0.....0...h.e.l.l.o.w.o.r.l.d.
0007C06A0 2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00
00 10 01 00 00 10 01 00 00 02 00 00 00 ..t.x.t.¨...(...................
0007C06C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 3F C4
2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 ................à?ä.|+Ð.à?ä.|+Ð.
0007C06E0 ED CC EC 06 84 2B D0 01 E0 3F C4 2E 7C 2B D0 01 20 00 00
00 00 00 00 00 00 06 00 00 00 00 00 00 íÌì.+Ð.à?ä.|+Ð.
...............
0007C0700 02 00 00 00 00 00 00 00 8E EB 21 E1 01
00 00 00 0A 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ........Ë!á....................
These five bytes also changed when the permissions were
changed on the drive with the .doc file. This suggests that these bytes may
signify permissions in some way.
As expected, like on the original drive, the file contents is found at offset 0x07B0000.