5

I'm using a hex editor (wxHexEditor) to explore a hard drive content. I'm looking for where the label of a partition is stored.

So the drive I'm exploring is a GPT drive formatted in NTFS. With Gparted I changed the name and the label of the partition. The name is easy to find, it's a GPT specificity, it is stored in the partition table. However I can't find where the label is stored.

My NTFS Boot Sector is on the sector 2048. I'm looking at the Wikipedia page of NTFS that quotes :

In NTFS, all file, directory and metafile data — file name, creation date, access permissions (by the use of access control lists), and size — are stored as metadata in the Master File Table (MFT).

And the paragraph Metafiles contains a list of metafiles :

$Volume : Contains information about the volume, namely the volume object identifier, volume label […]

So logically the label of the partition is stored in this Master File Table.
Right above in the paragraph Partition Boot Sector it is indicated that at the byte offset 0x30, 8 bytes indicate the cluster that contains the Master File Table. For me it's 0x0000000000000004. However at the cluster 4 I have nothing, the block is completely empty.

Where does the NTFS filesystem store the label of a partition then ?

Nicryc
  • 765

1 Answers1

6

The information is correct.

After formatting, on a NTFS larger than a few GB, you’ll find the MFT usually at cluster 0xC0000. With the normal cluster size of 8 sectors, this amounts to 0xC0000 × 8 = 0x600000 = Sector 6291456 The value 0x0000...004, given in Wikipedia as "typical", is not common at all.

You can post a dump of the partition boot sector, so we can check it.

Also, in the hex editor, simply search for the string "FILE0", this string is found in every MFT entry. Usually, you will find the mirror copy of the first 24 MFT entries near the beginning, and then you simply have to find the MFT entry that somewhere has the name $Volume (written in UCS2, that means, "$.V.o.l.u.m.e." in the hex view), there you should be able to find the partition label.

Ro-ee
  • 2,250