Another experiment done with the .doc contents was to zip
the folder. The experiment was performed at the same level as the copy experiment
above - it was done on the folder with a .doc file saved inside it.
|
Metadata Block Offset |
Starting Bytes |
hellofolder |
Eighth Byte |
.doc Added to Folder |
Eighth Byte |
Folder Zipped |
Eighth Byte |
Identical? |
||
|
0x0750000 |
94 01 |
|
0A |
hellofolder |
16 |
hellofolder |
1E |
|
|
|
|
0x0754000 |
95 01 |
hellofolder |
0D |
hellofolder |
0D |
hellofolder |
1C |
✔ |
✔ |
|
|
0x0758000 |
96 01 |
hellofolder |
0E |
hellofolder |
0E |
hellofolder |
1D |
✔ |
✔ |
|
|
0x075C000 |
97 01 |
New folder |
0C |
New folder |
0C |
hellofolder |
1D |
✔ |
✔ |
|
|
0x07B0000 |
AC 01 |
New folder |
0C |
hellofolder |
15 |
hellofolder |
* 00 |
|
|
|
|
0x07B4000 |
AD 01 |
hellofolder |
0D |
hellofolder |
0D |
hellofolder |
0D |
✔ |
✔ |
✔ |
|
0x07B8000 |
AE 01 |
|
|
hellofolder |
15 |
hellofolder |
15 |
|
✔ |
✔ |
|
0x07BC000 |
AF 01 |
|
|
hellofolder |
15 |
hellofolder |
15 |
|
✔ |
✔ |
|
0x07C0000 |
B0 01 |
|
|
hellofolder |
16 |
hellofolder |
16 |
|
✔ |
✔ |
The first metadata block identified in the table above is
very different when the folder has been zipped. A large part of the block remained
the same (highlighted blue below) but there were also important changes. Shown
below is an extract from the metadata block.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000750560 78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02
00 24 00 52 00 45 00 43 00 59 00 43 00 x.........0.H...0...$.R.E.C.Y.C.
000750580 4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00
00 00 00 00 00 00 00 00 00 00 00 00 00 L.E...B.I.N.....................
0007505A0 86 98 ED 46 7D 2B D0 01 6D 36 F0 46 7D 2B D0 01 6D 36 F0
46 7D 2B D0 01 6D 36 F0 46 7D 2B D0 01 †˜íF}+Ð.m6ÐF}+Ð.m6ÐF}+Ð.m6ÐF}+Ð.
0007505C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00
10 00 00 00 00 78 00 00 00 10 00 1A 00 ........................x.......
0007505E0 00 00 30 00 48 00 00 00 30 00 02 00 68 00 65 00 6C 00 6C
00 6F 00 66 00 6F 00 6C 00 64 00 65 00 ..0.H...0...h.e.l.l.o.f.o.l.d.e.
000750600 72 00 00 00 00 00 00 00 03 07 00 00 00 00 00 00 00 00 00
00 00 00 00 00 10 CB 15 9F 7D 2B D0 01 r........................Ë.Ÿ}+Ð.
000750620 D3 85 5B 85 8E 2B D0 01 D3 85 5B 85 8E 2B D0 01 D3 85 5B
85 8E 2B D0 01 00 00 00 00 00 00 00 00 Ó…[…Ž+Ð.Ó…[…Ž+Ð.Ó…[…Ž+Ð.........
000750640 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 58 00 00
00 10 00 18 00 00 00 28 00 30 00 00 00................X.........(.0...
000750660 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00..€............................
000750680 0C 00 1E 00 68 00 65 00 6C 00 6C 00 6F 00 66 00 6F 00 6C
00 64 00 65 00 72 00 2E 00 7A 00 69 00....h.e.l.l.o.f.o.l.d.e.r...z.i.
0007506A0 70 00 38 00 4A 00 FF FF 48 04
00 00 10 00 22 00 08 00 38 00 10 04 00 00 30 00 01 00 68 00 65 00 p.8.J.ŸŸH....."...8.....0...h.e.
0007506C0 6C 00 6C 00 6F 00 66 00 6F 00 6C 00 64 00 65 00 72 00 2E
00 7A 00 69 00 70 00 00 00
00 00 00 00 l.l.o.f.o.l.d.e.r...z.i.p.......
0007506E0 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 10 01 00
00 02 00 00 00 00 00 00 00 00 00 00 00¨...(...........................
000750700 00 00 00 00 00 00 00 00 27 61 8C 26 95 2B D0
01 2C A5 9A 26 95 2B D0 01 2C A5 9A 26 95 2B D0 01 ........'aŒ&•+Ð.,¥š&•+Ð.,¥š&•+Ð.
000750720 27 61 8C 26 95 2B D0 01 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 01 00 00 00
00 00 00 00 'aŒ&•+Ð. .......................
000750740 3F 14 FA E8 01 00 00 00 AC
00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ?.úè....¬.......................
000750760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00 00 00 00 00 00 ................................
000750780 00 00 00 00 00 00 00 00 20 00 00 00 A0 01 00 00 D4 00 00
00 00 02 00 00 74 02 00 00 01 00 00 00 ........ ... ...Ô.......t.......
0007507A0 78 02 00 00 00 00 00 00 80 01 00 00 10 00 0E 00 08 00 20
00 60 01 00 00 60 01 00 00 00 00 00 00 x.......€......... .`...`.......
0007507C0 80 00 00 00 00 00 00 00 88 00 00 00 28 00 01 00 01 00 00
00 20 01 00 00 20 01 00 00 02 00 00 00 €.......ˆ...(....... ... .......
0007507E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00
00 00 00 00 00 00 00 00 00 00 00 01 00 ................................
000750800 00 00 00 00 AC
00 00 00 00 00 00 00 AC 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....¬.......¬...................
000750820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
000750840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00
00 50 00 00 00 84 00 00 00 00 02 00 00 ................ ...P...„.......
000750860 D4 00 00 00 01 00 00 00 D8 00 00 00 00 00 00 00 30 00 00
00 10 00 10 00 00 00 10 00 20 00 00 00 Ô.......Ø.......0........... ...
000750880 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 AC 01 00 00 00 00 00 00 00 00 00 08 00 00 00 00 ................¬...............
0007508A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
In the block above there is an entry for the zipped folder,
which is saved in the same manner that a normal file would be (highlighted in
red). The new MACE times are highlighted in green. The file pointer is
highlighted in orange and the file size in purple. The file size is AC, which
converts to 172 bytes, which is the same size as Windows reported for the
zipped folder.
The file pointer is AC 01. When this is calculated it
becomes offset 7B0000, the contents of which are shown below.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E
0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
0007B0000 50 4B 03 04 14 00 00 00 00 00 10 B0 28 46 72 C8 06 B4 0E 00 00 00 0E 00 00 00
1E 00 00 00 68 65 PK.........°(FrÈ.´............he
0007B0020 6C 6C 6F 66 6F 6C 64 65 72 2F 73 65 63 72 65 74 64 6F
63 75 6D 65 6E 74 2E 64 6F 63 68 69 64 65 llofolder/secretdocument.dochide
0007B0040 20 74 68 69 73 20 69 6E 66 6F 50 4B 01 02 14
00 14 00 00 00 00 00 10 B0 28 46 72 C8 06 B4 0E 00 this infoPK...........°(FrÈ.´..
0007B0060 00 00 0E 00 00 00 1E 00 00 00 00 00 00 00 01 00 20 00
00 00 00 00 00 00 68 65 6C 6C 6F 66 6F 6C ................ .......hellofol
0007B0080 64 65 72 2F 73 65 63 72 65 74 64 6F 63 75 6D 65 6E 74
2E 64 6F 63 50 4B 05 06 00 00 00 00 01 00 der/secretdocument.docPK........
0007B00A0 01 00 4C 00 00 00 4A 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..L...J.........................
The block above is the result of the zipping. It contains
the file name and path (red) and the contents (purple).
There are three instances of "PK" (orange), which combined with the two bytes that follow it make
the local file header (Buchholz, 2006). PK is likely used because the ZIP
format was created by a man called Phil Katz. The order of these file headers
is as follows: "PK34", "PK12" and "PK56", which doesn't seem to be in any order.
To compare
to the above, the same zipped file on NTFS, within an MFT entry, is shown below.
Where the content matches on each file system it is highlighted in blue. There
are only two changes within the block and these are both the byte changing
between 10 and 1A (highlighted in orange). The zipped file is also stored in
the same way on the FAT32 drive too. Again the only differences are the same
two bytes, but instead of being 10 or 1A, they are set to 15. Using the
definitions provided by Buchholz (2012), it can be seen that this changing byte
is part of the modified time. This makes sense, as each experiment was done
separate - it wasn't possible to zip them all at exactly the same time. The
times are stored in MS-DOS format (see exercise at the end of this section).
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
04010A800 46 49 4C 45 30 00 03 00 25 4E 00 02 00 00 00 00 01 00 01
00 38 00 01 00 E0 01 00 00 00 04 00 00
FILE0...%N..........8...à.......
04010A820 00 00 00 00 00 00 00 00 03 00 00 00 2A 00 00 00 02 00 00
00 00 00 00 00 10 00 00 00 60 00 00 00 ............*...............`...
04010A840 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 EB BC 12
1D 95 2B D0 01 EB BC 12 1D 95 2B D0 01 ........H.......˼..•+Ð.˼..•+Ð.
04010A860 EB BC 12 1D 95 2B D0 01 EB BC 12 1D 95 2B D0 01 20 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ˼..•+Ð.˼..•+Ð.
...............
04010A880 00 00 00 00 0D 01 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 30 00 00 00 78 00 00 00 ........................0...x...
04010A8A0 00 00 00 00 00 00 02 00 60 00 00 00 18 00 01 00 05 00 00
00 00 00 05 00 EB BC 12 1D 95 2B D0 01 ........`...............˼..•+Ð.
04010A8C0 EB BC 12 1D 95 2B D0 01 EB BC 12 1D 95 2B D0 01 EB BC 12
1D 95 2B D0 01 00 00 00 00 00 00 00 00 ˼..•+Ð.˼..•+Ð.˼..•+Ð.........
04010A8E0 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 0F 00 68
00 65 00 6C 00 6C 00 6F 00 66 00 6F 00 ........ .........h.e.l.l.o.f.o.
04010A900 6C 00 64 00 65 00 72 00 2E 00 7A 00 69 00 70 00 80 00 00
00 C8 00 00 00 00 00 18 00 00 00 01 00 l.d.e.r...z.i.p.€...è...........
04010A920 AC 00 00 00 18 00 00 00 50 4B 03 04 14 00 00
00 00 00 0A B0 28 46 72 C8 06 B4 0E 00 00 00 0E 00 ¬.......PK.........°(Frè.´......
04010A940 00 00 1E 00 00 00 68 65 6C 6C
6F 66 6F 6C 64 65 72 2F 73 65 63 72 65 74 64 6F 63 75 6D 65 6E 74 ......hellofolder/secretdocument
04010A960 2E 64 6F 63 68 69 64 65 20 74 68 69 73 20 69 6E 66 6F 50
4B 01 02 14 00 14 00 00 00 00 00 0A B0 .dochide this infoPK...........°
04010A980 28 46 72 C8 06 B4 0E 00 00 00 0E 00 00 00 1E 00 00 00 00
00 00 00 01 00 20 00 00 00 00 00 00 00 (Frè.´.................. .......
04010A9A0 68 65 6C 6C 6F 66 6F 6C 64 65
72 2F 73 65 63 72 65 74 64 6F 63 75 6D 65 6E 74 2E 64 6F 63 50 4B hellofolder/secretdocument.docPK
04010A9C0 05 06 00 00 00 00 01 00 01 00 4C 00 00 00 4A 00 00 00 00 00 00 00 00 00 FF FF FF FF
82 79 47 11 ..........L...J.........ŸŸŸŸ‚yG.
Using Buchholz's definition (2012), it can be seen that the
one byte that changes between the file systems is compression. The block below
is the zipped file broken down and described, with colours linking to the respective
row in the table.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
0007B0000 50 4B 03 04 14 00 00 00 00 00 10 B0 28 46 72 C8 06 B4 0E
00 00 00 0E 00 00 00 1E 00 00 00 68 65 PK.........°(Frè.´............he
0007B0020 6C 6C 6F 66 6F 6C 64 65 72 2F
73 65 63 72 65 74 64 6F 63 75 6D 65 6E 74 2E 64 6F 63 68 69 64 65 llofolder/secretdocument.dochide
0007B0040 20 74 68 69 73 20 69 6E 66 6F 50 4B 01 02
14 00 14 00 00 00 00 00 10 B0 28 46
72 C8 06 B4 0E 00 this infoPK...........°(Frè.´..
0007B0060 00 00 0E 00 00
00 1E 00 00 00 00 00 00 00 01 00 20 00 00 00 00 00 00 00 68 65 6C 6C 6F 66 6F 6C ................ .......hellofol
0007B0080 64 65 72 2F 73 65 63 72 65 74 64 6F 63 75 6D 65 6E 74 2E
64 6F 63 50 4B 05 06 00
00 00 00 01 00 der/secretdocument.docPK........
0007B00A0 01 00 4C 00 00 00 4A 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ..L...J.........................
|
Offset |
Length |
Value |
Purpose |
|
0x00 |
4 bytes |
50 4B 01 02 |
Signature |
|
0x04 |
2 bytes |
14 00 |
Version |
|
0x06 |
2 bytes |
14 00 |
Version needed |
|
0x08 |
2 bytes |
00 00 |
Flags |
|
0x0A |
2 bytes |
00 00 |
Compression |
|
0x0C |
2 bytes |
10 B0 |
Modified time |
|
0x0E |
2 bytes |
28 46 |
Modified date |
|
0x10 |
4 bytes |
72 C8 06 B4 |
CRC |
|
0x14 |
4 bytes |
0E 00 00 00 |
Compressed size |
|
0x18 |
4 bytes |
0E 00 00 00 |
Uncompressed size |
|
0x1C |
2 bytes |
1E 00 |
File name length |
|
0x1E |
2 bytes |
00 00 |
Extra field length |
|
0x20 |
2 bytes |
00 00 |
File comments length |
|
0x22 |
2 bytes |
00 00 |
Disk number start |
|
0x24 |
2 bytes |
01 00 |
Internal attribute |
|
0x26 |
4 bytes |
20 00 00 00 |
External attribute |
|
0x2A |
4 bytes |
00 00 00 00 |
Offset of local header |
|
0x2E |
Variable |
68 65 6C 6C 6F 66 6F 6C 64 65 72 2F 73 65 63 72 65 74 64 6F 63 75
6D 65 6E 74 2E 64 6F 63 |
File name |
The changes at metadata blocks 0x0754000 and 0x0758000 after
the folder has been zipped are only MACE times and the eighth byte of the
block, all the other bytes remain unchanged. The metadata block at 0x075C000 is
identical to the one at 0x0758000 with the exception of the first byte, which
is used for addressing the block.
The next metadata block identified in the table at the
beginning of the chapter is the one at offset 0x07B0000, which has already been
uncovered as the location of the zipped file. The rest of metadata blocks shown
in the table are all the same as before the folder was zipped.
