How to correct NTFS's Runlist

Log Out | Topics | Search Moderators | Edit Profile

Author Message   beartidy Username: acekubar Registered: N/A Posted on Friday, Mar 12, 2010 - 4:52:    My question is list as follows, as the picture show as the url, we read the file XXXX.mp3, and than we get the file's info from MFT. As the MFT shows, the runlist of XXXX.mpe is 0x42 0xF8 0x04 0x20 0x06 0xDC 0x05, so the first cluster is 0x05DC0620, but Winhax analyze the file's first cluster is 0xDC0620. is any ony can help me to solve this question? the captured pic is shown as follow url: http://phorum.study-area.org/index.php/topic,60448.0.html many thanks   beartidy Username: acekubar Registered: N/A Posted on Friday, Mar 12, 2010 - 9:53:    the url is as follows http://lh3.ggpht.com/_KOprPzRPia0/S4t8eCRzchI/AAAAAAAABv8/HJSg_M7zDqg/s640/winhax01.jpg   Alfons Kramer Username: admin3 Registered: 4-2004 Posted on Monday, Mar 15, 2010 - 9:36:    NTFS is not that straight forward as you might think. You forgot to apply the fixup values. The last two bytes of a sector need to be replaced with values of the fixup array. After that we arrive at the numbers WinHex presents. In case you need a reference. I would like to recommend the book "File System Forensic Analysis" by Brian Carrier.   beartidy Username: acekubar Registered: N/A Posted on Tuesday, Mar 23, 2010 - 3:14:    Hi Alfons Kramer : thank for your help, I had understand how it work!