NTFS — New Technology File System
designed for Windows 8, 7, Vista, XP, 2008, 2003, 2000, NT
NTFS is a high-performance and self-healing file system proprietary to Windows XP Vista 2008 2003 2000 NT & Windows 7,Windows 8, which supports file-level security, compression and auditing. It also supports large volumes and powerful storage solution such as RAID. The most important features of NTFS are data integrity (transaction journal) and the ability to encrypt files and folders to protect your sensitive data.
NTFS File System |
Hardware and Disk Organization |
|
Other File Systems 
|
Recovery on Damaged File Systems |
|
Recovery on Damaged File Systems
BMP Signature Format: Documentation & Recovery Example
BMP (bitmap image) files start with a signature BM and the next 4 bytes contain file's length.
Let's examine this particular BMP image
When inspecting example.bmp file's binary data using any Hex Viewer, like Active@ Disk Editor
we can see that it starts with a signature BM and next 4 bytes (hex: F6 04 00 00).
Hexadecimal to decimal conversion
When we convert F6 04 00 00 to decimal format using little endian format (lowest significant byte first) we get:
00 00 04 F6→ 4F6
In hexadecimal system F has value of 15
| Hexadecimal | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | A | B | C | D | E | F |
| Decimal | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
When calculating hexadecimal values the position of numbers is also very important.
The first number in our case is 4 therefore its position caries the value of 2, F has the value of 1 and 6 the value of 0 (zero).
Numbers will be multiplied with 16 power of the position's value. Meaning:
4F6 = 4 x 162 + 15 x 161 + 6 x 160 4F6 = 4 x 256 + 15 x 16 + 6 x 1 4F6 = 1024 + 240 + 6 4F6 = 1270
Therefore reading all of 1,270 consecutive bytes starting from the position of the detected BM header will provide us with all BMP file data.
For more about Little and Big Endian formats read here
