Using a hex-editor to mount a NTFS volume, I've found an offset within the volume containing data I开发者_Python百科'm interested in. How can I figure out the full path/name of the file containing this volume offset?
Perhaps there are still some people searching for the solution. There is a tool for this problem: SleuthKit Tools.
Given an byte offset from the beginning of the partition table you have to divide it by the block size of your NTFS-Partition (usually 4096).
ifind /dev/... -d block_offset => inode_number
ffind /dev/... inode_number => Location of file
You need to read the MFT and parse the Data attributes for each file to find the one that includes the particular offset.
Note that you might need to look at every files stream, not only the default, so you have to parse all the Data attributes.
Unfortunately, I couldn't find a quick link to the binary structure of the NTFS Data attribute. you're on your own for this one.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论