This is very basic description and is likely to change...
Since the database is just a cache of the NTFS mft with some volume information, it can be re-built from scratch easily.
BZIP compression can be applied.
I usually see a total 11:1 compression ratio.
After BZIP decompression it should look something like:
| Offset | Size | Description |
|---|---|---|
| 0x00000000 | DWORD | 0x42445A45 or EZDB or (0x455A4442 or BDZE for byte swapped) |
| 0x00000004 | DWORD | 0x01060006 or version 0xXXYYZZZZ x.y.z (major.minor.revision) |
| 0x00000008 | DWORD | flags: 0x00000002 exclude hidden files and folders. 0x00000004 exclude system files and folders. |
| 0x0000000C | DWORD | folder count |
| 0x00000010 | DWORD | file count |
| 0x00000014 | DWORD | folder decode size |
| 0x00000018 | DWORD | file decode size |
Followed immediately by the monitoring status for each volume.
There are 26 of the following structures, one for each drive:
| Offset | Size | Description |
|---|---|---|
| 0x00000000 | BYTE | included: 0x00 there is no data for this volume so start reading the next volume. 0x01 continue reading the information for this volume. |
| 0x00000001 | DWORD | serial number |
| 0x00000005 | QWORD | USN Journal ID |
| 0x0000000D | QWORD | Next USN |
Followed immediately by the exclude list count:
| 0x00000000 | DWORD | number of exclude items. |
Followed immediately by the exclude list:
Use the exclude list count from above to determine how many exclude items there are..
| Offset | Size | Description |
|---|---|---|
| 0x00000000 | BYTE | exclude type |
| 0x00000001 | DWORD | length of the exclude string |
| 0x00000005 | length of the exclude string | exclude string |
Followed immediately by the sorted folders:
We know the number of folders from above.
| Offset | Size | Description |
|---|---|---|
| 0x00000000 | BYTE | drive this folder belongs too. |
| 0x00000001 | QWORD | FRN |
| 0x00000005 | DWORD | Parent folder offset, or 0xFFFFFFFF if root. |
| 0x00000009 | DWORD | FRN offset |
| 0x0000000D | BYTE | code length, if 0 it is the same name, skip to the next folder after adding the same name. |
| 0x0000000E | BYTE | code offset |
| 0x0000000F | code length | code |
Followed immediately by the sorted files:
We know the number of files from above.
| Offset | Size | Description |
|---|---|---|
| 0x00000000 | DWORD | Parent folder offset |
| 0x00000004 | BYTE | code length, if 0 it is the same name, skip to the next file after adding the same name. |
| 0x00000005 | BYTE | code offset |
| 0x00000006 | code length | code |