Metadata Block ChangesModifying Content .txt FilePermissions ChangeDeleting .txt FileRenaming .txt FileCopying .txt FileCreating .txt FileDeleting .txt File Within Folders

Rename .txt File

After renaming the file on the drive, four offsets identified in the table at the start of this section are identical to the original file drive. This is the final two offsets, the one that holds content and the other used for copied data or the reference to the deleted file. The other two offsets where the data is identical is at 0x0750000 (all drives are the same) and at offset 0x075C000.

After renaming the file from "helloworld.txt" to "freepizzaforall.txt" the length of the filename (before counting the file extension) has grown from 10 to 15 (0A and 0F in hex respectively), or 14 (0E) and 19 (13) if including the extension. The first difference in the metadata blocks between the file systems with the renamed and original file is at offset 0x0754008 where the byte is set to 18 rather than 0E with the original file. The next changes are at 0x075411C, where two bytes change from A0 09 to 10 0A. Shortly after that at offset 0x0754120 the byte has changed from 20 to 00. None of these changes represent the size of the file or the length of the file name.

Looking further down in this metadata block, the new filename has replaced one of the entries of "helloworld" (shown below). The top block is the original file and the one underneath shows the new filename. This is different behaviour to the .doc file, as the .doc file never originally had three filename entries, it only had two. The new filename was then inserted below it, whereas in the case of the .txt file and entry saying "helloworld" has actually been overwritten (shown highlighted in green). The MACE times that have changed have been highlighted in green and other miscellaneous changes in orange.

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000754560  78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02 00 24 00 52 00 45 00 43 00 59 00 43 00  x.........0.H...0...$.R.E.C.Y.C.

000754580  4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00  L.E...B.I.N.....................

0007545A0  85 13 AD F9 7B 2B D0 01 85 13 AD F9 7B 2B D0 01 F4 67 AF F9 7B 2B D0 01 85 13 AD F9 7B 2B D0 01  …..ù{+Ð.…..ù{+Ð.Ôg¯ù{+Ð.…..ù{+Ð.

0007545C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 10 00 00 00 00 50 00 00 00 10 00 18 00  ........................P.......

0007545E0  04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ..(.(... ..€....................

000754600  00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ............h.e.l.l.o.w.o.r.l.d.

000754620  2E 00 74 00 78 00 74 00 50 00 00 00 10 00 18 00 00 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00  ..t.x.t.P.........(.(... ..€....

000754640  00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00  ............................h.e.

000754660  6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 74 00 78 00 74 00 40 04 00 00 10 00 20 00  l.l.o.w.o.r.l.d...t.x.t.@..... .

000754680  08 00 30 00 10 04 00 00 30 00 01 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ..0.....0...h.e.l.l.o.w.o.r.l.d.

0007546A0  2E 00 74 00 78 00 74 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00  ..t.x.t...(...................

0007546C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01  ................à?ä.|+Ð.à?ä.|+Ð.

0007546E0  E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00  à?ä.|+Ð.à?ä.|+Ð. ...............

000754700  02 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00 0A 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ........+Oúû....................

 

Drive with new filename

000754560  78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02 00 24 00 52 00 45 00 43 00 59 00 43 00  x.........0.H...0...$.R.E.C.Y.C.

000754580  4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00  L.E...B.I.N.....................

0007545A0  85 13 AD F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01 35 8E B1 F9 7B 2B D0 01  …..ù{+Ð.5Ž±ù{+Ð.5Ž±ù{+Ð.5Ž±ù{+Ð.

0007545C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 10 00 00 00 00 50 00 00 00 10 00 18 00  ........................P.......

0007545E0  04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00 00 06 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ..(.(... ..€....................

000754600  00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00 6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00  ............h.e.l.l.o.w.o.r.l.d.

000754620  2E 00 74 00 78 00 74 00 50 00 00 00 10 00 18 00 04 00 28 00 28 00 00 00 20 00 00 80 00 00 00 00  ..t.x.t.P.........(.(... ..€....

000754640  00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 1C 00 68 00 65 00  ............................h.e.

000754660  6C 00 6C 00 6F 00 77 00 6F 00 72 00 6C 00 64 00 2E 00 74 00 78 00 74 00 50 04 00 00 10 00 2A 00  l.l.o.w.o.r.l.d...t.x.t.P.....*.

000754680  00 00 40 00 10 04 00 00 30 00 01 00 66 00 72 00 65 00 65 00 70 00 69 00 7A 00 7A 00 61 00 66 00  ..@.....0...f.r.e.e.p.i.z.z.a.f.

0007546A0  6F 00 72 00 61 00 6C 00 6C 00 2E 00 74 00 78 00 74 00 00 00 00 00 00 00 A8 00 00 00 28 00 01 00  o.r.a.l.l...t.x.t.......¨...(...

0007546C0  00 00 00 00 10 01 00 00 10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................

0007546E0  E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01 E0 3F C4 2E 7C 2B D0 01  à?ä.|+Ð.à?ä.|+Ð.à?ä.|+Ð.à?ä.|+Ð.

000754700  20 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 2B 4F FA FB 01 00 00 00   .......................+Oúû....

 

The next offset with metadata is at offset 0x0758000. Everything in this metadata block here is the same as the previous one, except for the Modified, Accessed and Entry Modified times. Above the Recycle Bin entry, the Modified, Accessed and Entry Modified times were all different, but further down by the actual file entry the only difference was the Accessed time.