TechQA.

NTFS DataRun probably error

135 views Asked by At

I am writing a code to parse MFT of NTFS. I`m trying analyse Data Run of non residental $INDEX_ALLOCATION attrib:

11 01 2C 11 02 FE 11 00 9F 0B 21 01 DB 00 21 01 D9 00 21 01 E0 00 21 01 F6 00 21 01 10 01 00 F1

After regroup I see problem in Data Run No 3: DataRun 1: 11 01 2C DataRun 2: 11 02 FE DataRun 3: 11 00 9F <- what does mean "00" ?

I tried analyse it using Active Disk Editor 3 and this software decompose it to: DataRun 3: 11 00 9F 0B In my opinion header of DataRun 3 ("11") mean 1 length and 1 offset so there should be 2 bytes after header, but there are 3 bytes.

Any idea?

windows filesystems ntfs ntfs-mft
Original Q&A
0

There are 0 answers

Related Questions in WINDOWS

Related Questions in FILESYSTEMS

Related Questions in NTFS

Related Questions in NTFS-MFT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions