The Root Directory

The Root Directory refers all the metadata files in its first records and only after that it refers to the directories it points to. Because it has a long representation it will be represented divided into two parts.

Root Directory Descriptor

Figure-12-37
Figure 37

Descriptor of type INDEX File – To read this data we must introduce here the concept of INDEX. As it is a file too, it has a descriptor, which must be read according to the table in figure37 and its hexadecimal editor representation in figure 36.

  • 30000h to 30003h – Signature – INDX
  • 30004h to 30006h – Offset to the update sequence – 28h, thus starting at the offset 30000h+28h=30028h
  • 30006h to 30008h – Update sequence size in words – 9 in our case – being 1 for the update number and 8 for the sequence (The Index files occupy 1 Cluster or multiples in Clusters)
  • 30008h to 3000AFh – $LogFile sequence number.
  • 30010h to 30017h – this buffer VCN in this INDEX allocation – 0 in our case, as we are dealing with only 1 Cluster.
  • 30018h to 3001Bh – Offset to the index entries – 28h in pour case. This offset is relative to this point, thus the index entries will start at 30018h+28h=30040h.
  • 3001Ch to 3001Fh – Index entries size – 0A60h or 2656 bytes in our case. This value is relative to 30018h too. Thus, the index entries must terminate at the offset 30018h + A60h = 30A78h, what can be verified at the end of figure 36.
  • 30020h to 30023h – Index entries allocated size – 0FE8h – this value too is relative to 30018h, being this size 18h+FE8h=1000h = 4.096 Bytes (1 cluster)
  • 3024h – Designates if this node has child – 1 if it does, what is our case.
  • 3025h to 3027h – Padding
  • 3028h and 3029h – Update sequence number – 9B 00 in our case. This is the number which shall be repeated at the end of each sector of this cluster.
  • 302Ah to 3039h – Update Sequence Array – Represents the value of the last 2 Bytes replaced by the update number (9B 00) in each one of the 8 sectors, namely CA 01  CA 01  00 00  CA 01  00 00  00 00  00 00  00 00

Root Directory Index Records

Figure-12-38
Figure 38

We’re now going to read the index records according to the table in figure 38, the hexadecimal editor representation in figure 36 and 40 (as itis too long it was divided in two figures) and the corresponding image of  Windows Explorer for the same indexation in figura 39, showing all the indexation levels from the root until the searched file.

The 1st record, indexes $AttrDef, at the offset 30040h,

  • in the 04hMFT entry (4),
  • with the size of 68h (104 bytes). Next record begins at the offset 30040h + 68h = 300A8h.
  • The name ends at the offset 52h. This offset is relative to the next alignment to 8 bytes (10h relative to the record) and designates the end of the real space used by the record.
  • The Parent directory is in the MFT entry 5h, which is the root directory.
  • Next come the references to the date/time of creation, modification, MFT modification and last access.
  • The file allocated size is 1000h (4.096 bytes).
  • The file real size is 0A00h (2.560 bytes)

It matches with what we already analyzed about this file. The non-resident data is the attributes definition list.

  • The file name size is 08h (8),
  • in the namespace Win32 and DOS (03).

One observation about the references to the MFT composed by 8 Bytes:

  • The first 6 Bytes refer to the MFT entry.
  • The last 2 bytes refer the sequence number, which shall be equal to the one of the referenced file if the file system is consistent.

The 2nd record indexes $BadClus, at the offset 300A8h,

  • in the MFT entry 08h (8),
  • with the size of 68h (104 bytes). Next record begins at the offset 300A8h + 68h = 30110h.
  • The allocated size and the real size are 0.
  • The file name size is 08h (8),
  • in the namespace Win32 and DOS (03).

The 3rd record indexes $BitMap, at the offset 30110h,

  • in the MFT entry 06h (6),
  • with the size of 60h (96 bytes). Next record begins at the offset 30110h + 60h = 30170h.
  • The allocated size and the real size are 0.
  • The file name size is 08h (8),
  • in the namespace Win32 and DOS (03).

The 4th record indexes the file $Boot, at the offset 30170h,

  • in the MFT entry 07h (7),
  • with the size of 60h (96 bytes). Next record begins at the offset 30170h + 60h = 301D0h.
  • The file allocated size is 2000h (8.182 bytes ou 2 clusters)
  • The file real size is the same.
  • The file name size is 05h (5),
  • in the namespace Win32 and DOS (03).
Figure-12-36
Figure 36

The 5th record indexes $Extend, at the offset 301D0h,

  • in the MFT entry 0Bh (11),
  • with the size of 60h (96 bytes). Next record begins at the offset 301D0h + 60h = 30230h.
  • The allocated size and the real size are 0.
  • The file name size is 07h (7),
  • in the namespace Win32 and DOS (03).

The 6th record indexes $LogFile, at the offset 30230h,

  • in the MFT entry 02h (2),
  • with the size of 68h (104 bytes). Next record begins at the offset 30230h + 68h = 30298h.
  • The allocated size and the real size are 4000000h, or 67,108,864 bytes. This space is indexed within its MFT entry.
  • The file name size is 08h (8),
  • in the namespace Win32 and DOS (03).

The 7th record indexes the file $MFT, at the offset 30298h,

  • in the MFT entry 00h (0),
  • with the size of 60h (96 bytes). Next record begins at the offset 30298h + 60h = 302F8h.
  • The allocated size and the real size are 1DC0000h, or 31,195,136 bytes. This space is indexed within its MFT entry, in 2 data blocks with the offsets that we’ve already seen.
  • The file name size is 04h (4),
  • in the namespace Win32 and DOS (03).

The 8th record indexes $MFTMirr, at the offset 302F8h,

  • in the MFT entry 01h (1),
  • with the size of 68h (104 bytes). Next record begins at the offset 302F8h + 68h = 30360h.
  • The allocated size and the real size are 1000h, or 4,096 bytes or 1 cluster.
  • The file name size is 04h (4),
  • in the namespace Win32 and DOS (03).

The 9th record indexes $RECYCLE.BIN, at the offset 30360h,

  • in the MFT entry 28h (40),
  • with the size of 70h (112 bytes). Next record begins at the offset 30360h + 70h = 303D0h.
  • The allocated size and the real size are 0.
  • The file name size is 0Ch (12), 8+dot+extension
  • in the namespace Win32 and DOS (03).

The 10th record indexes $Secure, at the offset 303D0h,

  • in the MFT entry 09h (9),
  • with the size of 60h (96 bytes). Next record begins at the offset 303D0h + 60h = 30430h.
  • The allocated size and the real size are 0.
  • The file name size is 07h (7),
  • no namespace Win32 and DOS (03).

The 11th record indexes $UpCase, at the offset 30430h,

  • in the MFT entry 0Ah (10),
  • with the size of 60h (96 bytes). Next record begins at the offset 30430h + 60h = 30490h.
  • The allocated size and the real size are 20000h or 131,072 bytes or 32 clusters.
  • The file name size is 07h (7),
  • in the namespace Win32 and DOS (03).

The 12th record indexes $Volume, at the offset 30490h,

  • in the MFT entry 03h (3),
  • with the size of 60h (96 bytes). Next record begins at the offset 30490h + 60h = 304F0h.
  • The allocated size and the real size are 0.
  • The file name size is 07h (7),
  • in the namespace Win32 and DOS (03).

The 13th record indexes itself, at the offset 304F0h,

  • in the MFT entry 05h (5). It’s all this vermin Parent Directory.
  • with the size of 58h (88 bytes). Next record begins at the offset 304F0h + 58h = 30548h.
  • The allocated size and the real size are 0.
  • The file name size is 01h (1),
  • in the namespace Win32 and DOS (03).
Figure-12-39
Figure 39

This record indexes the root directory, named . (dot), present at the MFT entry 05h, having its parent directory at the same entry 05h, thus itself.

All the records have the same fields referred for the 1st record but we only included those whose reading can add some knowledge about the indexed file.

The next records are those referring to our files and directories which are inside the root directory. To better understand the path from now on we put here together the image of the Windows Explorer containing the several indexing levels from the root directory until the searched file, as we can see in figure 39 and read in its caption.

The 14th record, As Minhas Músicas, at the offset 30548h

  • in the MFT entry 27h (39).
  • with the size of (120 bytes). Next record begins at the offset 30548h + 78h = 305C0h.
  • The name ends at the offset This offset is relative to the next alignment to 8 bytes (10h relative to the record) and designates the end of the real space used by the record.
  • The Parent directory is in the MFT entry 5h, which is the root directory.
  • Next come the references to the date/time of creation, modification, MFT modification and last access.
  • The file name size is 11h (17) characters long (As Minhas Músicas) in the namespace Win32 (01).
  • This means that there is another description for the same file in the namespace DOS (02), which is the next record.

The 15th record, ASMINH~1, at the offset 305C0h,

  • in the MFT entry 27h (39 – the same),
  • with the size of 68h (104 bytes). Next record begins at the offset 305C0h + 68h = 30628h,
  • The name ends at the offset 52h
  • The file name size is 8,
  • now in the namespace DOS (02),

The 16th record,Imagens P20, at the offset 30628h,

  • in the MFT entry 51BDh (20.925),
  • with the size of 68h (104 bytes). Next record begins at the no offset 30628h + 68h = 30690h,
  • The name ends at the offset 58h,
  • The file name size is 0B (11),
  • in the namespace Win32 (01).

The 17th record, Imagens PC, at the offset 30690h,

  • in the MFT entry 51BCh (20.924),
  • with the size of 68h (104 bytes). Next record begins at the offset 30690h + 68h = 306F8h,
  • The name ends at the offset 56h,
  • The file name size is 0A (10),
  • in the namespace Win32 (01).
Figure-12-40
Figure 40

The 18th record, IMAGEN~1, at the offset 306F8h,

  • in the MFT entry 51BDh (20.925),
  • with the size of 68h (104 bytes). Next record begins at the offset 306F8h + 68h = 30760h,
  • The name ends at the offset 52h,
  • The file name size is 8,
  • in the namespace DOS (02).

The 19th record, IMAGEN~2, at the offset 30760h,

  • in the MFT entry 51BCh (20.924),
  • with the size of 68h (104 bytes). Next record begins at the offset 30760h + 68h = 307C8h,
  • The name ends at the offset 52h,
  • The file name size is 8,
  • in the namespace DOS (02).

The 20th record, System Volume Information, at the offset 307C8h,

  • in the MFT entry 24h (36),
  • with the size of 88h (136 bytes). Next record begins at the offset 307C8h + 88h = 30850h,
  • The name ends at the offset 74h,
  • The file name size is 19 (25),
  • in the namespace Win32 (01).

The 21st record, SYSTEM~1, at the offset 30850h,

  • in the MFT entry 24h (36),
  • with the size of 68h (104 bytes). Next record begins at the offset 30850h + 68h = 308B8h,
  • The name ends at the offset 52h,
  • The file name size is 8,
  • in the namespace DOS (02).

The 22nd record, Todas as Imagens, at the offset 308B8h,

  • in the MFT entry 51BEh (20.926),
  • with the size of 78h (120 bytes). Next record begins at the offset 308B8h + 78h = 30930h,
  • The name ends at the offset 62h,
  • The file name size is 10h (16),
  • in the namespace Win32 (01).

The 23rd record, TODASA~1, at the offset 30930h,

  • in the MFT entry 51BEh (20.926),
  • with the size of 68h (104 bytes). Next record begins at the offset 30930h + 68h = 30998h,
  • The name ends at the offset 52h,
  • The file name size is 8,
  • in the namespace DOS (02).

The 24th record, Tutoriais, at the offset 30998h,

  • in the MFT entry 0923h (2.339),
  • with the size of 68h (104 bytes). Next record begins at the offset 30998h + 68h = 30A00h,
  • The name ends at the offset 54h,
  • The file name size is 09h (9),
  • in the namespace Win32 (01).

The 25th record, TUTORI~1, at the offset 30A00h,

  • in the MFT entry 0923h (2.339),
  • with the size of 68h (104 bytes). Next record begins at the offset 30998h + 68h = 30A00h,
  • The name ends at the offset 52h,
  • The file name size is (8),
  • in the namespace DOS (02).

The 26th record, between 30A68h and 30A77h, doesn’t have any reference to the MFT entry and its flag 02 tells that this is this INDEX last record.

Reading these Index entries, the system is now informed about the files belonging to the root directory and the next nodes (directories) in the tree. Reading the following nodes it will know the files belonging to them and the following nodes in the tree. And so on, until the system knows the entire content of all the Volumes of the computer.

It’s this way that we’ve got the MFT entry where the following node in our path is referred, what can be followed with figure 39.

It’s the 22nd record in the root directory, the one who points to the following node in the tree branch which leads to our file. That’s why we are going to analyze that MFT entry (the 20,926) which defines this 22nd record and start our journey.