#224 ObjectID$O IndexAllocation

[Rune Nordvik]

I am trying to icat the Non-Resident Index for the IndexAllocation attribute (0xA0 00 00 00) for a the $ObjID$O of a NTFS file system. This seems to not work at all in Sleuthkit v 4.3.0.

fls -o 1026048 win10-1234567.raw 11
d/d 24-144-2: $Deleted
r/r 26-144-5: $ObjId:$O
r/r 25-144-3: $Quota:$O
r/r 25-144-2: $Quota:$Q
r/r 27-144-5: $Reparse:$R
d/d 28-144-2: $RmMetadata
r/r 85924-128-3: $UsnJrnl:$J
r/r 85924-128-11: $UsnJrnl:$Max

icat -o 1026048 win10-1234567.raw 26-144-5 | xxd

0000000: 0000 0000 1300 0000 0010 0000 0100 0000  ................
0000010: 1000 0000 e800 0000 e800 0000 0100 0000  ................
0000020: 2000 3800 0000 0000 6000 1000 0100 0000   .8.....`.......
0000030: c1dd 053a d873 e611 b18e 78ac c041 8cde  ...:.s....x..A..
0000040: be6e 0100 0000 0a00 4677 15a1 4727 d142  .n......Fw..G'.B
0000050: 8769 d8ee f6d3 fde4 c1dd 053a d873 e611  .i.........:.s..
0000060: b18e 78ac c041 8cde 0000 0000 0000 0000  ..x..A..........
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 2000 3800 0000 0000 6000 1000 0100 0000   .8.....`.......
0000090: 754c 4de8 b773 e611 b18d 78ac c041 8cde  uLM..s....x..A..
00000a0: d16f 0000 0000 0100 4677 15a1 4727 d142  .o......Fw..G'.B
00000b0: 8769 d8ee f6d3 fde4 754c 4de8 b773 e611  .i......uLM..s..
00000c0: b18d 78ac c041 8cde 0000 0000 0000 0000  ..x..A..........
00000d0: 0000 0000 0000 0000 0200 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 1800 0000 0300 0000  ................
00000f0: 0100 0000 0000 0000                      ........

However, this is just the Resident content of the 0x90 00 00 00 attribute. How can I get the non resident content of the 0xA0 00 00 00 (Index_Allocation Attribute)?

In the attached screenshot the last part with blue background is the cluster runs for the Index_Allocation attribute.