$ObjId と $O - @port139 Blog

Penguin.jpg の ObjectID を、$ObjId 内で確認します。

f:id:hideakii:20170924072248p:plain

$ObjId は $Extend フォルダ配下にあります。

f:id:hideakii:20170924072828p:plain

MFTレコード番号 25 を$MFT内で参照します。0x90 $INDEX_ROOTを確認できます。

f:id:hideakii:20170924073249p:plain

0x00006500: 90 00 00 00 A8 00 00 00 00 02 18 00 00 00 02 00 ................
0x00006510: 88 00 00 00 20 00 00 00 24 00 4F 00 00 00 00 00 .... ...$.O.....
0x00006520: 00 00 00 00 13 00 00 00 00 10 00 00 01 00 00 00 ................
0x00006530: 10 00 00 00 78 00 00 00 78 00 00 00 00 00 00 00 ....x...x.......
0x00006540: 20 00 38 00 00 00 00 00 58 00 10 00 00 00 00 00 .8.....X.......
0x00006550: E9 7C 45 5E A0 A0 E7 11 A8 24 08 00 27 36 0E 0B .|E^.....$..'6..
0x00006560: 26 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 &...............
0x00006570: 00 00 00 00 00 00 00 00 E9 7C 45 5E A0 A0 E7 11 .........|E^....
0x00006580: A8 24 08 00 27 36 0E 0B 00 00 00 00 00 00 00 00 .$..'6..........
0x00006590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000065a0: 10 00 00 00 02 00 00 00 FF FF FF FF 82 79 47 11 .............yG.

NTFS DOC の「14. NTFS Files: $ObjId (Any)」を参考にデータをパースします。

2.2. Standard Attribute Header
2.2.2. Resident, Named

90 00 00 00 Attribute Type
A8 00 00 00 Length (including this header)
00 Non-resident flag
02 Name length
18 00 Offset to the Name
00 00 Flags
02 00 Attribute Id (a)
88 00 00 00 Length of the Attribute
20 00 Offset to the Attribute (b)
00 Indexed flag
00 Padding
24 00 4F 00 $.O. ⇒Name

10.2.1. Index Root

00 00 00 00 Attribute Type
13 00 00 00 Collation Rule
00 10 00 00 Size of Index Allocation Entry (bytes)
01 Clusters per Index Record
00 00 00 Padding (Align to 8 bytes)

10.2.2. Index Header

10 00 00 00 Offset to first Index Entry 0x10⇒16
78 00 00 00 Total size of the Index Entries 0x78 ⇒ 120
78 00 00 00 Allocated size of the Index Entries 0x78 ⇒ 120
00 Flags ⇒ Small Index (fits in Index Root)
00 00 00 Padding (align to 8 bytes)

14.3.1. $O Index

20 00 Offset to data
38 00 Size of data 0x38⇒56
00 00 00 00 Padding
58 00 Size of Index Entry
10 00 Size of Index Key
00 00 Flags
00 00 Padding
E9 7C 45 5E A0 A0 E7 11 A8 24 08 00 27 36 0E 0B Key: GUID Object Id
26 00 00 00 00 00 01 00 DATA: MFT Reference
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DATA: GUID Birth Volume Id
E9 7C 45 5E A0 A0 E7 11 A8 24 08 00 27 36 0E 0B DATA: GUID Birth Object Id
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DATA: GUID Domain Id