Using a hex-editor to mount a NTFS volume, I’ve found an offset within the volume containing data I’m interested in. How can I figure out the full path/name of the file containing this volume offset?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Using a hex-editor to mount a NTFS volume, I’ve found an offset within the volume containing data I’m interested in. How can I figure out the full path/name of the file containing this volume offset?
You need to read the
MFTand parse the Data attributes for each file to find the one that includes the particular offset.Note that you might need to look at every files stream, not only the default, so you have to parse all the Data attributes.
Unfortunately, I couldn’t find a quick link to the binary structure of the NTFS Data attribute. you’re on your own for this one.