I need to get file size by reading MFT record of that particular file. Please tell me the offset where i can find the file size and file's location on disc.
Asked
Active
Viewed 1,205 times
2 Answers
1
There is no fixed offset and a file in the MFT can have multiple data streams (1 unnamed and multiple named). You need to parse the attributes after the file record header until you read a DATA attribute (attribute type 0x80).
The default data stream of the file, meaning the contents you see when you open the file come from the unnamed data stream. Other applications might use the named data streams contained in a file.
The size of the data attribute contents is the actual size of the file. Keep in mind that the data attribute can be resident or non-resident. Meaning that if the contents of the file is only a few bytes and it fits in the file record, it will be resident and the contents will be right after the attribute header. Otherwise, if the contents don't fit in the file record, an appropriate number of clusters that can contain the file, the data attrbiute will become non-resident and a set of data run entries will describe where on the disk the content of the file is.
Sebastian-Laurenţiu Plesciuc
- 2,413
- 1
- 24
- 41
0
The allocated size of the file (All of the clusters needed to hold the entire file) can be found at 0x offset x28 for a length of 8 bytes from the beginning of the data attribute (x80 x00 x00 x00) in the $MFT record for the file. The actual size of the file is located at 0x offset x30 for a length of 8 bytes from the beginning of the data attribute in the $MFT record for the file.
Sean4597
- 1
-
Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Feb 07 '23 at 15:20