https://www.voidtools.com/support/everything/db/

DB
This is very basic description and is likely to change...

Since the database is just a cache of the NTFS mft with some volume information, it can be re-built from scratch easily.

BZIP compression can be applied.

I usually see a total 11:1 compression ratio.

After BZIP decompression it should look something like:

Offset Size Description
0x00000000 DWORD 0x42445A45 or EZDB or (0x455A4442 or BDZE for byte swapped)
0x00000004 DWORD 0x01060006 or version 0xXXYYZZZZ x.y.z (major.minor.revision)
0x00000008 DWORD flags: 0x00000002 exclude hidden files and folders. 0x00000004 exclude system files and folders.
0x0000000C DWORD folder count
0x00000010 DWORD file count
0x00000014 DWORD folder decode size
0x00000018 DWORD file decode size

Followed immediately by the monitoring status for each volume.

There are 26 of the following structures, one for each drive:

Offset Size Description
0x00000000 BYTE included: 0x00 there is no data for this volume so start reading the next volume. 0x01 continue reading the information for this volume.
0x00000001 DWORD serial number
0x00000005 QWORD USN Journal ID
0x0000000D QWORD Next USN

Followed immediately by the exclude list count:

0x00000000 DWORD number of exclude items.

Followed immediately by the exclude list:

Use the exclude list count from above to determine how many exclude items there are..

Offset Size Description
0x00000000 BYTE exclude type
0x00000001 DWORD length of the exclude string
0x00000005 length of the exclude string exclude string

Followed immediately by the sorted folders:

We know the number of folders from above.

Offset Size Description
0x00000000 BYTE drive this folder belongs too.
0x00000001 QWORD FRN
0x00000005 DWORD Parent folder offset, or 0xFFFFFFFF if root.
0x00000009 DWORD FRN offset
0x0000000D BYTE code length, if 0 it is the same name, skip to the next folder after adding the same name.
0x0000000E BYTE code offset
0x0000000F code length code

Followed immediately by the sorted files:

We know the number of files from above.

Offset Size Description
0x00000000 DWORD Parent folder offset
0x00000004 BYTE code length, if 0 it is the same name, skip to the next file after adding the same name.
0x00000005 BYTE code offset
0x00000006 code length code

点赞(0) 打赏

评论列表 共有 0 条评论

暂无评论

微信小程序

微信扫一扫体验

立即
投稿

微信公众账号

微信扫一扫加关注

发表
评论
返回
顶部