2

I'm writing a parser for NTFS file system. I have a question regarding the INDX record. I have gone through the stackoverflow question "Invalid INDX entries for $I30 on NTFS harddisk" and also the links provided in it. Please refer to image below.

INDXRecord

While parsing the INDX record, when we encounter the byte sequence 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 The document indicates that it should be treated as the last entry of the index entry list. However, as you can see there are more entries after this and windows explorer displays all the entries. I'm unable to continue to parse after the ;last entry as the structure of the subsequent entry does not match the prescribed structure of INDX entry record as shown below. Kindly suggest if I am missing anything here and how to resolve the same.

IndexEntry structure

NirIzr
  • 3,131
  • 2
  • 30
  • 49
balajir712
  • 49
  • 4

1 Answers1

0

None of the bytes from offset 0x960 are relevant; they are leftover from a previous state of the B-tree and NTFS doesn't waste time zeroing it. The fact that all the files still show up in a directory listing simply means they reside in different index blocks, not this one.

Clearly the bytes starting at offset 0x960 can't be an index entry. 0x01d3f97e8238ad31 is not a valid file reference; the file name isn't at offset 0x52 in the entry; etc.

You're seeing fragments of entries that used to be there.

Trevor Reid
  • 3,310
  • 4
  • 27
  • 46
Craig Barkhouse
  • 391
  • 3
  • 7