$I30のバイナリ構造を確認します。
Autopsyで Pirctures フォルダの File Metadata を確認します。「$INDEX_ROOT (144-1) Name: $I30」が Resident として存在している事を確認できます。
From The Sleuth Kit istat Tool:
MFT Entry Header Values: Entry: 39 Sequence: 1
$LogFile Sequence Number: 1078084
Allocated Directory Links: 1
$STANDARD_INFORMATION Attribute Values: Flags:
Owner ID: 0Security ID: 264 (S-1-5-21-1901480256-120802936-2790681297-1000)
Created: 2017-09-17 22:39:03.019912200 (UTC)
File Modified: 2017-09-17 22:39:39.366135400 (UTC)
MFT Modified: 2017-09-17 22:39:39.366135400 (UTC)
Accessed: 2017-09-17 22:39:39.366135400 (UTC)
$FILE_NAME Attribute Values: Flags:Directory
Name: picturesParent MFT Entry: 5
Sequence: 5
Allocated Size: 0
Actual Size: 0
Created: 2017-09-17 22:39:03.019912200 (UTC)
File Modified: 2017-09-17 22:39:03.019912200 (UTC)
MFT Modified: 2017-09-17 22:39:03.019912200 (UTC)
Accessed: 2017-09-17 22:39:03.019912200 (UTC)
Attributes:Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72
Type: $FILE_NAME (48-2) Name: N/A Resident size: 82Type: $INDEX_ROOT (144-1) Name: $I30 Resident size: 160
Autopsy の HEX タブで$INDEX_ROOTの$I30データ内容を確認します。
0x00000000: 30 00 00 00 01 00 00 00 00 10 00 00 01 00 00 00 0...............
0x00000010: 10 00 00 00 90 00 00 00 90 00 00 00 00 00 00 00 ................
0x00000020: 28 00 00 00 00 00 01 00 70 00 60 00 00 00 00 00 (.......p.`.....
0x00000030: 27 00 00 00 00 00 01 00 AA 65 C5 D8 05 30 D3 01 '........e...0..
0x00000040: E1 EE 02 B9 05 30 D3 01 E1 EE 02 B9 05 30 D3 01 .....0.......0..
0x00000050: AA 65 C5 D8 05 30 D3 01 00 90 46 00 00 00 00 00 .e...0....F.....
0x00000060: 00 90 46 00 00 00 00 00 20 00 00 00 00 00 00 00 ..F..... .......
0x00000070: 0F 00 70 00 72 00 61 00 69 00 72 00 69 00 65 00 ..p.r.a.i.r.i.e.
0x00000080: 20 00 64 00 6F 00 67 00 2E 00 6A 00 70 00 67 00 .d.o.g...j.p.g.
0x00000090: 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 ................
NTFS Documentation のページ25「10. Attribute - $INDEX_ROOT (0x90)」を参考にパースしてみます。
10.2.1. Index Root
30 00 00 00 01 00 00 00 00 10 00 00 01 00 00 00
30 00 00 00 Attribute Type
01 00 00 00 Collation Rule ⇒ Filename
00 10 00 00 Size of Index Allocation Entry (bytes) 0x1000 ⇒4,096
01 Clusters per Index Record
00 00 00 Padding
10.2.2. Index Header
10 00 00 00 90 00 00 00 90 00 00 00 00 00 00 00
10 00 00 00 Offset to first Index Entry 0x10⇒16
90 00 00 00 Total size of the Index Entries 0x90⇒144
90 00 00 00 Allocated size of the Index Entries 0x90⇒144
00 Flags⇒Small Index (fits in Index Root)
00 00 00 Padding
11.2.1. Index Entry
28 00 00 00 00 00 01 00 70 00 60 00 00 00 00 00
28 00 00 00 00 00 01 00 File reference 0x28 ⇒ 40 Seq 1 prairie dog.jpg
70 00 L = Length of the index entry 0x70 ⇒ 112
60 00 M = Length of the stream 0x60 ⇒ 96
00 Flags
00 00 00
4. Attribute - $FILE_NAME (0x30)
27 00 00 00 00 00 01 00 AA 65 C5 D8 05 30 D3 01
E1 EE 02 B9 05 30 D3 01 E1 EE 02 B9 05 30 D3 01
AA 65 C5 D8 05 30 D3 01 00 90 46 00 00 00 00 00
00 90 46 00 00 00 00 00 20 00 00 00 00 00 00 00
0F 00 70 00 72 00 61 00 69 00 72 00 69 00 65 00
20 00 64 00 6F 00 67 00 2E 00 6A 00 70 00 67 00
27 00 00 00 00 00 01 00 File reference to the parent directory. ⇒ 39 Seq 1
AA 65 C5 D8 05 30 D3 01 C Time - File Creation
E1 EE 02 B9 05 30 D3 01 A Time - File Altered (Modification)
E1 EE 02 B9 05 30 D3 01 M Time - MFT Changed
AA 65 C5 D8 05 30 D3 01 R Time - File Read (Access)
00 90 46 00 00 00 00 00 Allocated size of the file 0x469000⇒4,624,384
00 90 46 00 00 00 00 00 Real size of the file 0x469000⇒4,624,384
20 00 00 00 Flags, e.g. Directory, compressed, hidden
00 00 00 00 Used by EAs and Reparse
0F Filename length in characters (L)
00 Filename namespace 0x42 2L File name in Unicode (not null terminated)
70 00 72 00 61 00 69 00 72 00 69 00 65 00 p.r.a.i.r.i.e.
20 00 64 00 6F 00 67 00 2E 00 6A 00 70 00 67 00 .d.o.g...j.p.g.
11.2.1. Index Entry
00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00
00 00 00 00 00 00 00 00 File reference
10 00 L = Length of the index entry 0x10 ⇒ 16
00 00 M = Length of the stream 0x00 ⇒ 00
02 Flags ⇒ Last index entry in the node
00 00 00
