For this experiment, the file was copied, pasted and then
renamed. During the analysis, entries for "helloworld.doc",
"helloworld-Copy.doc" and "sayitagain.doc" are expected to be
found. Like when the file was renamed, the file system metadata blocks with the
copied file was largely the same as the other drives, with the exception of the
first block and the extra content at offset 0x07C0000.
The first block has a lot of similarities with the first
block of other drives. The first instances of the file name are found at offset
0x0750600 and there are three of them. This is compared to the original .doc
file, where it only appeared twice. This is very similar to when the file was
permanently deleted. There are some differences however, most notably when the
file has been copied, the file size still exists, as expected.
Further down in this first metadata block, an entry for the
copied file was found (shown below).
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000750AC0 04 00 28 00 38 00 00 00 20 00 00 80 00 00 00 00 00 06 00
00 00 00 00 00 03 00 00 00 00 00 00 00 ..(.8... ......................
000750AE0 00 00 00 00 00 00 00 00 0C 00 2A 00 68 00 65
00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ..........*.h.e.l.l.o.w.o.r.l.d.
000750B00 20 00 2D 00 20 00 43 00 6F 00 70 00 79 00 2E 00 64 00 6F
00 63 00 BA 02 40 04
00 00 10 00 20 00 .-. .C.o.p.y...d.o.c.º.@..... .
000750B20 00 00 30 00 10 04 00 00 30 00 01 00 73 00 61 00 79 00 69 00 74 00 61 00 67 00 61 00 69
00 6E 00 ..0.....0...s.a.y.i.t.a.g.a.i.n.
000750B40 2E 00 64 00 6F 00 63 00 A8 00 00 00 28 00 01 00 00 00 00 00 10
01 00 00 10 01 00 00 02 00 00 00 ..d.o.c.¨...(...................
000750B60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 5A D0 56 86 2B D0 01 24 2F 27 6F 7F 2B D0 01 ................3ZÐV+Ð.$/'o.+Ð.
000750B80 75 F2 90 59 86 2B D0 01 33 5A D0 56 86 2B D0 01 20 00 00 00 00 00 00 00 00 06 00 00 00 00
00 00 uò.Y+Ð.3ZÐV+Ð. ...............
000750BA0 03 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 0A 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ........+Oúû....................
000750BC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
000750BE0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00
00 A0 01 00 00 D4 00 00 00 00 02 00 00 ................ ... ...Ô.......
000750C00 74 02 00 00 01 00 00 00 78 02 00 00 00 00 00 00 80 01 00
00 10 00 0E 00 08 00 20 00 60 01 00 00 t.......x................ .`...
000750C20 60 01 00 00 00 00 00 00 80 00 00 00 00 00 00 00 88 00 00
00 28 00 01 00 01 00 00 00 20 01 00 00 `.................(....... ...
000750C40 20 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00 00 00 00 00 00 ...............................
000750C60 00 00 00 00 00 00 01 00 00 00 00 00 0A 00 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00
00 ................................
000750C80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
000750CA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 20 00 00 00 50 00 00 00 ........................ ...P...
000750CC0 84 00 00 00 00 02 00 00 D4 00 00 00 01 00 00 00 D8 00 00
00 00 00 00 00 30 00 00 00 10 00 10 00 .......Ô.......Ø.......0.......
000750CE0 00 00 10 00 20 00 00 00 00 00 00 00 00 00 00 00 04 00 00
00 00 00 00 00 B0 01 00 00 00 00 00 00 .... ...................°.......
Highlighted in the block above is the file pointer (in
orange), the file size (in red) and the MACE times (in green). The copied
filename can be seen "helloworld-Copy.doc"
(in blue) and then the renamed filename "sayitagain.doc"
(in purple).
A little further down in the metadata block the filename can
be found again (shown below).
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000750F60 00 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00
00 00 00 00 00 03 00 00 00 00 00 00 00 ..(.(... ......................
000750F80 00 00 00 00 00 00 00 00 0C 00 1C 00 73 00 61 00 79 00 69
00 74 00 61 00 67 00 61 00 69 00 6E 00 ............s.a.y.i.t.a.g.a.i.n.
000750FA0 2E 00 64 00 6F 00 63 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ..d.o.c.........................
The file pointer, found at offset 0x0750CF8, points to offset
0x07C0000. While there is still content at offset 0x07B0000 (the original
file's content), the content found at this offset is identical, reading "helloworld".