After renaming the file on the drive, four offsets
identified in the table at the start of this section are identical to the
original file drive. This is the final two offsets, the one that holds content
and the other used for copied data or the reference to the deleted file. The
other two offsets where the data is identical is at 0x0750000 (all drives are
the same) and at offset 0x075C000.
After renaming the file from "helloworld.txt" to "freepizzaforall.txt"
the length of the filename (before counting the file extension) has grown from
10 to 15 (0A and 0F in hex respectively), or 14 (0E) and 19 (13) if including
the extension. The first difference in the metadata blocks between the file systems
with the renamed and original file is at offset 0x0754008 where the byte is set
to 18 rather than 0E with the original file. The next changes are at 0x075411C,
where two bytes change from A0 09 to 10 0A. Shortly after that at offset
0x0754120 the byte has changed from 20 to 00. None of these changes represent
the size of the file or the length of the file name.
Looking further down in this metadata block, the new
filename has replaced one of the entries of "helloworld" (shown below). The
top block is the original file and the one underneath shows the new filename.
This is different behaviour to the .doc file, as the .doc file never originally
had three filename entries, it only had two. The new filename was then inserted
below it, whereas in the case of the .txt file and entry saying "helloworld" has
actually been overwritten (shown highlighted in green). The MACE times that
have changed have been highlighted in green and other miscellaneous changes in
orange.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000754560 78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02
00 24 00 52 00 45 00 43 00 59 00 43 00 x.........0.H...0...$.R.E.C.Y.C.
000754580 4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00
00 00 00 00 00 00 00 00 00 00 00 00 00 L.E...B.I.N.....................
0007545A0 85 13 AD F9 7B 2B D0 01 85 13 AD F9 7B 2B D0 01 F4 67 AF F9 7B 2B D0 01 85 13 AD F9 7B 2B D0 01
..ù{+Ð.
..ù{+Ð.Ôg¯ù{+Ð.
..ù{+Ð.
0007545C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00
10 00 00 00 00 50 00 00 00 10 00 18 00 ........................P.......
0007545E0 04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00
00 00 00 00 00 01 00 00 00 00 00 00 00 ..(.(... ......................
000754600 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C
00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ............h.e.l.l.o.w.o.r.l.d.
000754620 2E 00 74 00 78 00 74 00 50 00 00 00 10 00 18 00 00 00 28
00 28 00 00 00 20 00 00 80 00 00 00 00 ..t.x.t.P.........(.(...
......
000754640 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 0C 00 1C 00 68 00 65 00 ............................h.e.
000754660 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 74
00 78 00 74 00 40 04 00 00 10 00 20
00 l.l.o.w.o.r.l.d...t.x.t.@..... .
000754680 08 00 30 00 10 04 00 00 30 00 01 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ..0.....0...h.e.l.l.o.w.o.r.l.d.
0007546A0 2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00 00 10
01 00 00 10 01 00 00 02 00 00 00 ..t.x.t.¨...(...................
0007546C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 3F C4
2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 ................à?ä.|+Ð.à?ä.|+Ð.
0007546E0 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 20 00 00
00 00 00 00 00 00 06 00 00 00 00 00 00 à?ä.|+Ð.à?ä.|+Ð. ...............
000754700 02 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 0A 00 00
00 00 00 00 00 00 00 01 00 00 00 00 00 ........+Oúû....................
Drive
with new filename
000754560 78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02
00 24 00 52 00 45 00 43 00 59 00 43 00 x.........0.H...0...$.R.E.C.Y.C.
000754580 4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00
00 00 00 00 00 00 00 00 00 00 00 00 00 L.E...B.I.N.....................
0007545A0 85 13 AD F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01
..ù{+Ð.5±ù{+Ð.5±ù{+Ð.5±ù{+Ð.
0007545C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00
10 00 00 00 00 50 00 00 00 10 00 18 00 ........................P.......
0007545E0 04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00
00 00 00 00 00 01 00 00 00 00 00 00 00 ..(.(... ......................
000754600 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C
00 6F 00 77 00 6F 00 72 00 6C 00 64 00 ............h.e.l.l.o.w.o.r.l.d.
000754620 2E 00 74 00 78 00 74 00 50 00 00 00 10 00 18 00 04 00 28
00 28 00 00 00 20 00 00 80 00 00 00 00 ..t.x.t.P.........(.(...
......
000754640 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 0C 00 1C 00 68 00 65 00 ............................h.e.
000754660 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 74
00 78 00 74 00 50 04 00 00 10 00 2A 00 l.l.o.w.o.r.l.d...t.x.t.P.....*.
000754680 00 00 40 00 10 04 00 00 30 00 01 00 66 00 72 00 65 00 65 00 70 00 69 00 7A 00 7A 00 61 00 66 00 ..@.....0...f.r.e.e.p.i.z.z.a.f.
0007546A0 6F 00 72 00 61 00 6C 00 6C 00 2E 00 74 00 78 00 74 00 00 00 00 00 00 00 A8 00 00 00 28 00 01
00 o.r.a.l.l...t.x.t.......¨...(...
0007546C0 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
0007546E0 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 E0 3F C4
2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 à?ä.|+Ð.à?ä.|+Ð.à?ä.|+Ð.à?ä.|+Ð.
000754700 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 02 00 00
00 00 00 00 00 2B 4F FA FB 01 00 00 00
.......................+Oúû....
The next offset with metadata is at offset 0x0758000.
Everything in this metadata block here is the same as the previous one, except
for the Modified, Accessed and Entry Modified times. Above the Recycle Bin
entry, the Modified, Accessed and Entry Modified times were all different, but
further down by the actual file entry the only difference was the Accessed
time.