NTFS MFT datarun

I am trying to parse a Data Run in an MFT Record and I'm comparing my results to Active Disk Editor. The data run is as follows:

.... 42 0F 01 FD 83 90 D9 0C (second attribute starts here)

If I understand correctly: this is how it should be parsed:

• number of bytes to parse the cluster count: 2

• number of bytes to parse cluster location: 4

• Parse cluster count: 0F 01 (in little endian) => 271

• Parse first cluster location: 0xD99083FD => 3,650,126,845
• Expecting a 00 instead of 0C to mark the end of the cluster

However, in active disk editor:

• the cluster location is: 9,470,973 which is 0x 9083FD. ( the D9 is ignored). It turns out that this location is the correct one.

• If I try to change the number of bytes representing the cluster location (the 4 in 42), here is what happens:

  • If I change it to 4 or 5, the cluster location remains the same (9470973)
  • If I change it to 3, the cluster location becomes negative
  • No value change on D9 0C seems to affect the outcome

Can anyone let me know what I'm doing wrong?

After some additional research, I accidentally read about NTFS fixups. For those that might encounter the same issue in the future, the idea is as follows:

• Update Sequence Number (USN) is a 2-byte entity that overwrites the last two bytes in each used sector. It is done for verification purposes.

• Update Sequence Array (USA) contains the array of overwritten 2-bytes at the end of each sector.

Reading the structure without accounting for USN and USA is problematic. It can mess up file names, data runs, etc. I encountered this info on: https://www.taksati.org/ntfs-fix-ups/

Long story short, when I accounted for this difference, the first cluster location became:

0x009083FD

Since the data run list info became: 42 0F 01 FD 83 90 00 00.