NTFS $ObjID and ObjectID

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Let's check NTFS $ObjID:$O and the deleted ObjectID.
There is image files on the sample E: drive, but these files do not have an ObjectID.

f:id:hideakii:20180909123928p:plain

f:id:hideakii:20180909124417p:plain

Browse the image file and check the ObjectID.

f:id:hideakii:20180909124537p:plain

Confirm that the ObjectID was given.

f:id:hideakii:20180909124611p:plain

Let's look at the FILE record of $ObjID. In the figure below, you can find the $O index record in $ INDEX_ROOT (0x90).

At this point, $ObjID:$O does not exist.

f:id:hideakii:20180909130106p:plain

Refer to multiple files and add ObjectID to $ObjID.

f:id:hideakii:20180909131314p:plain

$O was created as $INDEX_ALLOCATION (0xA0). ( In my test environment $O was created with seven references, including root. )

f:id:hideakii:20180909131453p:plain

Using the fte tool, see the result of parsing ObjID.

f:id:hideakii:20180909131953p:plain

Delete boat.jpg which we last referred to.

f:id:hideakii:20180909132149p:plain

By this operation, the record of boat.jpg in $O is deleted.
The fte tool can refer to deleted records if there are data remaining.

f:id:hideakii:20180909132541p:plain

note:
When there is no $O, ObjectID is not displayed even if you use the fet tool.

Verification environment: Windows 10 1083

f:id:hideakii:20180909121904j:plain

@port139 Blog