Using a hex-editor to mount a NTFS volume, I've found an offset within the volume containing data I'm interested in. How can I figure out the full path/name of the file containing this volume offset?
A:
You need to read the MFT and parse the Data attributes for each file to find the one that includes the particular offset.
Note that you might need to look at every files stream, not only the default, so you have to parse all the Data attributes.
Unfortunately, I couldn't find a quick link to the binary structure of the NTFS Data attribute. you're on your own for this one.
Franci Penov
2010-04-28 17:51:04
Drat. I was hoping there might be a tool rather than having to write the code myself. Oh, well.
Charles
2010-04-28 18:06:48