by coderTrevor | July 6, 2016
This week was rewarding, because I got some things done that I've been wanting to do for a while.
I wrote some code which can assign clusters by updating the $BITMAP file. As I mentioned last week, this is half of the equation for extending the allocation size of a non-resident file. I'm still working on the other half, which involves storing the assigned clusters in data runs.
I realized that modifying the data runs would involve making the same changes I needed for resident attributes, so I focused on making these changes during the second half of the week. I was finally able to implement overwriting resident files, the feature that I've left as TODO since I started.
The most interesting bug I encountered during development involved failing to align the attribute end marker to an 8-byte boundary. When I wasn't doing this, Windows would say the file was corrupt and would refuse to read it. This problem took less than a day to find and fix. Finding it just involved visual inspection of the file record in WinHex.
When I did this, I found the kind of thing that really interests me: something undocumented! At least, I can't find any accurate explanation of this number in any of the documentation I have. After the 0xFFFFFFFF which indicates the end of the attribute list, is this 32-bit number:
Forensic Computing A Practitioner's Guide by Tony Sammes and Brian Jenkinson at least acknowledges the presence of this number, but this book has the only mention I can find. Curiously, the authors refer to it as a CRC when it obviously isn't, since it comes up unaltered in all but the system-reserved MFT entries.
Is this number important? What does it mean? Does Windows pay attention to it at all? I consider these interesting questions but for now, I'm taking a "when in Rome" approach which means putting the number there when I change the file record's size, as Windows does. In the future I may perform some more experimentation and searching into what this number does and when it isn't there, but it's almost always present at the end of a file record: