《NTFS 文件系统.ppt》由会员分享,可在线阅读,更多相关《NTFS 文件系统.ppt(42页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、Computer ForensicsNTFS File SystemMBR and GPT Disksn MBR disks for 32b 86x-compatiblesn GPT disks for 64b Itanium processorsn Start with a MBR in order to maintain compatibilityn MBR has a single partition with a partition table entry of 0 xEENTFS ArchitectureNTFS ArchitectureNTFS Boot SectorNotice
2、that the end of sector marker is 55 AA.You can look for this to find boot sectors for NTFS and DOS.NTFS Boot Sectorn 0 x00 3B Jump Instruction n 0 x03 8B OEM ID n 0 x0B 25B BPB n 0 x24 48B Extended BPB n 0 x54 426B Bootstrap Code.n 0 x1FE 2B End of Sector Marker NTSF Boot SectorNTSF Boot Sectorn Man
3、y fields are not important,but:n 0 x0B,Bytes per sector.n 0 x0D Sectors per Clustern 0 x15 Media descriptor.F8:HD;F0:HD Floppyn 0 x28 Total sectors.n 0 x30 Logical cluster number for the MFTn 0 x38 Logical cluster number copy of the MFTn 0 x40 Clusters per MFT Record.n 0 x48 V olume serialNTFS Boot Sectorn WinHex allows access to an interpreted NTFS Boot Sector.n Use the Access Tab.