Re: Attirbute List contains Zero

Hi,

Apologies for late reply but we have been moving house so I have been
mostly offline the last two weeks...

On Tue, 2006-06-27 at 18:56 +0900, prakash viswalingam wrote:
> Hi ..
>             I did try to read all Attributes, but i am not able to
> interpret the DATA_ATTRIBUTE from that record.
>           so I here by attached the the file  record ,can anybody
> interpret and tell me  how to interpret that particular record to read
> the data and where i am making mistake . 

Very simple, from your mft record, the second attribute is the attribute
list attribute which lists all the attributes belonging to the inode,
this contains (skipping the standard information and filename
attributes) the following records describind the data attribute:

000000F0   80 00 00 00  20 00 00 1A  00 00 00 00  00 00 00 00
00000100   4D 08 00 00  00 00 0B 00  00 00 9B E2  00 00 00 00

The above says, following the ATTR_LIST_ENTRY in the file
ntfsprogs/include/ntfs/layout.h:

typedef struct {
/*Ofs*/
/*  0*/ ATTR_TYPES type;        /* Type of referenced attribute. */

0x80, i.e. $DATA

/*  4*/ u16 length;             /* Byte size of this entry. */

0x20 bytes

/*  6*/ u8 name_length;         /* Size in Unicode chars of the name of the
                                   attribute or 0 if unnamed. */

0, i.e. no name.

/*  7*/ u8 name_offset;         /* Byte offset to beginning of attribute name
                                   (always set this to where the name would
                                   start even if unnamed). */

0x1a, irrelevant as unnamed.

/*  8*/ VCN lowest_vcn;         /* Lowest virtual cluster number of this 
portion                                   of the attribute value. This is 
usually 0. It                                   is non-zero for the case where 
one attribute
                                   does not fit into one mft record and thus
                                   several mft records are allocated to hold
                                   this attribute. In the latter case, each mft
                                   record holds one extent of the attribute and
                                   there is one attribute list entry for each
                                   extent. NOTE: This is DEFINITELY a signed
                                   value! The windows driver uses cmp, followed
                                   by jg when comparing this, thus it treats it
                                   as signed. */

0x0, i.e. this is the first $DATA fragment

/* 16*/ MFT_REF mft_reference;  /* The reference of the mft record holding
                                   the ATTR_RECORD for this portion of the
                                   attribute value. */

mft no = 0x84d
seq no = 0xb

Thus you need to load mft record 0x84d and find the $DATA attribute with
lowest vcn 0 in it and that will give you the runlist mapping data for
that fragment.

/* 24*/ u16 instance;           /* If lowest_vcn = 0, the instance of the
                                   attribute being referenced; otherwise 0. */

0

/* 26*/ ntfschar name[0];       /* Use when creating only. When reading use
                                   name_offset to determine the location of the
                                   name. */

not present as unnamed.

/* sizeof() = 26 + (attribute_name_length * 2) bytes */
} __attribute__((__packed__)) ATTR_LIST_ENTRY;


00000110   80 00 00 00  20 00 00 1A  40 05 00 00  00 00 00 00
00000120   52 08 00 00  00 00 0A 00  00 00 00 00  00 00 00 00

As above this is $DATA, lowest vcn now is 0x540 and it is in mft record
0x852 with sequence number 0xa.

00000130   80 00 00 00  20 00 00 1A  80 09 00 00  00 00 00 00
00000140   57 08 00 00  00 00 09 00  00 00 00 00  00 00 00 00

00000150   80 00 00 00  20 00 00 1A  30 10 00 00  00 00 00 00
00000160   51 08 00 00  00 00 0A 00  00 00 00 00  00 00 00 00

You should now be able to do the above two...

Best regards,

        Anton


> 
> 
> sectorpercluster =1;
> 
> 
> 
> thanks in advance 
> prakashv
> 
> 
> 
> 
> 
> 
> 
> On 6/23/06, Anton Altaparmakov <aia21@xxxxxxxxx> wrote:
> > Hi,
> > 
> > On Fri, 2006-06-23 at 13:58 +0900, prakash viswalingam wrote:
> > > Hi All,
> > >          This is my first post to this community, hoping to get a
> good solution.
> > >
> > > I am trying to read the ntfs files from DOS , I am reading the
> files 
> > > which has data attribute but some file doesn't have data attribute
> > > ,instead it has Attribute List Attribute .In my case  I am trying
> to
> > > decode the List Attribute ,here it  is a resident attribute and i
> am 
> > > getting the type of reference attribute is 0x10 (ie., Standard
> > > attribute )
> > > and size is 32 bytes ,
> > > but my LCN  and  attribute ID (instance ) is also zero .
> > >
> > > so somebody pls suggest me how to read the data attribute of this
> > > particular file ?or
> > >  How to decode  this Attribute List to get the Data Attribute or
> Data
> > > information .
> > >
> > > I also given the information of Attribute List which has generated
> > > from my system.
> > >
> > > Type=0x10
> > > Size =32
> > > Name Lenght=0x00
> > > OffsetName =0x1A; 
> > > starting VCN =0x00;
> > > Base File Reference =0x000600000000030C
> > > Attribute ID              =0x00
> > 
> > This is only the first attribute list attribute record.  Keep
> reading
> > records until you find the one for the data attribute...  See
> > ntfsprogs/include/ntfs/layout.h (search for ATTR_LIST_ENTRY) for
> > details...
> > 
> > Best regards,
> > 
> >         Anton
> > --
> > Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
> > Unix Support, Computing Service, University of Cambridge, CB2 3QH,
> UK
> > Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
> > WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/
> > 
> > 
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Linux-NTFS-Dev mailing list
> Linux-NTFS-Dev@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/linux-ntfs-dev
Best regards,

        Anton
-- 
Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642