I am trying to parse a Data Run in an MFT Record and I'm comparing my results to Active Disk Editor. The data run is as follows:
.... 42 0F 01 FD 83 90 D9 0C (second attribute starts here)
If I understand correctly: this is how it should be parsed:
- number of bytes to parse the cluster count: 2
number of bytes to parse cluster location: 4
Parse cluster count: 0F 01 (in little endian) => 271
- Parse first cluster location: 0xD99083FD => 3,650,126,845
- Expecting a 00 instead of 0C to mark the end of the cluster
However, in active disk editor:
- the cluster location is: 9,470,973 which is 0x 9083FD. ( the D9 is ignored). It turns out that this location is the correct one.
If I try to change the number of bytes representing the cluster location (the 4 in 42), here is what happens:
- If I change it to 4 or 5, the cluster location remains the same (9470973)
- If I change it to 3, the cluster location becomes negative
- No value change on D9 0C seems to affect the outcome
Can anyone let me know what I'm doing wrong?
