GitBook: [master] 2 pages and 9 assets modified
CPol
gitbook-bot
|
Before Width: | Height: | Size: 322 KiB After Width: | Height: | Size: 2.8 KiB |
|
Before Width: | Height: | Size: 447 KiB After Width: | Height: | Size: 322 KiB |
|
Before Width: | Height: | Size: 2.9 KiB After Width: | Height: | Size: 2.8 KiB |
|
Before Width: | Height: | Size: 24 KiB After Width: | Height: | Size: 447 KiB |
|
Before Width: | Height: | Size: 148 KiB After Width: | Height: | Size: 2.9 KiB |
|
Before Width: | Height: | Size: 58 KiB After Width: | Height: | Size: 24 KiB |
BIN
.gitbook/assets/image (513).png
Normal file
|
After Width: | Height: | Size: 148 KiB |
BIN
.gitbook/assets/image (514).png
Normal file
|
After Width: | Height: | Size: 58 KiB |
BIN
.gitbook/assets/image (515).png
Normal file
|
After Width: | Height: | Size: 1.1 KiB |
|
|
@ -631,7 +631,9 @@ Using the [**Active Disk Editor**](https://www.disk-editor.org/index.html) it's
|
|||
|
||||
|
||||
|
||||
Checking the "In use" flag it's very easy to know if a file was deleted \(a value of 0x0 means deleted\).
|
||||
Checking the **"In use**" flag it's very easy to know if a file was deleted \(a value of **0x0 means deleted**\).
|
||||
|
||||
|
||||
|
||||
It's also possible to recover deleted files using FTKImager:
|
||||
|
||||
|
|
@ -667,7 +669,7 @@ Each attribute indicates some entry information identified by the type:
|
|||
|
||||
For example the **type 48 \(0x30\)** identifies the **file name**:
|
||||
|
||||
|
||||
|
||||
|
||||
It is also useful to understand that **these attributes can be resident** \(meaning, they exist within a given MFT record\) or **nonresident** \(meaning, they exist outside a given MFT record, elsewhere on the disk, and are simply referenced within the record\). For example, if the attribute **$Data is resident**, these means that the **whole file is saved in the MFT**, if it's nonresident, then the content of the file is in other part of the file system.
|
||||
|
||||
|
|
@ -689,10 +691,12 @@ Some interesting attributes:
|
|||
* Real size
|
||||
* [File reference](https://flatcap.org/linux-ntfs/ntfs/concepts/file_reference.html) to the parent directory.
|
||||
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\):
|
||||
* Contains the file's data or the indication of the sectors where the data resides.
|
||||
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ IP formats
|
|||
|
||||
You can also mix the different IP formats:
|
||||
|
||||
|
||||
|
||||
|
||||
You can play with the different IP formats in [https://www.silisoftware.com/tools/ipconverter.php](https://www.silisoftware.com/tools/ipconverter.php)
|
||||
|
||||
|
|
|
|||