I need to get file size by reading MFT record of that particular file. Please tell me the offset where i can find the file size and file's location on disc.
我需要通过读取该特定文件的MFT记录来获取文件大小。请告诉我我可以在光盘上找到文件大小和文件位置的偏移量。
1 个解决方案
#1
There is no fixed offset and a file in the MFT can have multiple data streams (1 unnamed and multiple named). You need to parse the attributes after the file record header until you read a DATA attribute (attribute type 0x80).
没有固定的偏移量,MFT中的文件可以有多个数据流(1个未命名,多个命名)。您需要在文件记录标头之后解析属性,直到您读取DATA属性(属性类型0x80)。
The default data stream of the file, meaning the contents you see when you open the file come from the unnamed data stream. Other applications might use the named data streams contained in a file.
文件的默认数据流,表示打开文件时看到的内容来自未命名的数据流。其他应用程序可能使用文件中包含的命名数据流。
The size of the data attribute contents is the actual size of the file. Keep in mind that the data attribute can be resident or non-resident. Meaning that if the contents of the file is only a few bytes and it fits in the file record, it will be resident and the contents will be right after the attribute header. Otherwise, if the contents don't fit in the file record, an appropriate number of clusters that can contain the file, the data attrbiute will become non-resident and a set of data run entries will describe where on the disk the content of the file is.
数据属性内容的大小是文件的实际大小。请记住,data属性可以是常驻或非驻留。这意味着如果文件的内容只有几个字节并且它适合文件记录,那么它将是驻留的,内容将在属性头之后。否则,如果内容不适合文件记录,可以包含该文件的适当数量的集群,数据attrbiute将变为非驻留,并且一组数据运行条目将描述磁盘上的内容文件是。
#1
There is no fixed offset and a file in the MFT can have multiple data streams (1 unnamed and multiple named). You need to parse the attributes after the file record header until you read a DATA attribute (attribute type 0x80).
没有固定的偏移量,MFT中的文件可以有多个数据流(1个未命名,多个命名)。您需要在文件记录标头之后解析属性,直到您读取DATA属性(属性类型0x80)。
The default data stream of the file, meaning the contents you see when you open the file come from the unnamed data stream. Other applications might use the named data streams contained in a file.
文件的默认数据流,表示打开文件时看到的内容来自未命名的数据流。其他应用程序可能使用文件中包含的命名数据流。
The size of the data attribute contents is the actual size of the file. Keep in mind that the data attribute can be resident or non-resident. Meaning that if the contents of the file is only a few bytes and it fits in the file record, it will be resident and the contents will be right after the attribute header. Otherwise, if the contents don't fit in the file record, an appropriate number of clusters that can contain the file, the data attrbiute will become non-resident and a set of data run entries will describe where on the disk the content of the file is.
数据属性内容的大小是文件的实际大小。请记住,data属性可以是常驻或非驻留。这意味着如果文件的内容只有几个字节并且它适合文件记录,那么它将是驻留的,内容将在属性头之后。否则,如果内容不适合文件记录,可以包含该文件的适当数量的集群,数据attrbiute将变为非驻留,并且一组数据运行条目将描述磁盘上的内容文件是。