search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
389 stars 42 forks source link

Potential bug in NTFSInfo #31

Closed lprat closed 2 years ago

lprat commented 3 years ago

Hi,

When launch NTFSinfo with this config (below) and compare with sigcheck result (command "sigcheck -h -e -a -c c:\windows\system32"), the "OriginalFileName" dont display on ORC NTFS info result.

<?xml version="1.0"?>
<ntfsinfo walker="MFT" resurrect="yes">
    <location>*</location>
    <columns>
        <default>ComputerName,VolumeID,Default,ExtendedAttribute,RecordInUse,SecDescrID,ADS,FirstBytes,OriginalFileName,ProductName,FullName,File,FileNameCreationDate,FileNameLastAccessDate,FileNameLastAttrModificationDate,FileNameLastModificationDate,LastAccessDate,LastAttrChangeDate,LastModificationDate,Owner,OwnerId,OwnerSid,SizeInBytes</default>
        <add SizeLT="10M" Ext=".docx,.zip,.7z,.ace,.cmd,.bat,.ps1,.chm,.application,.appref-ms,.pdf,.jar,.js,.jse,.rtf,.doc,.xls,.xslx,.ini,.inf,.hta,.hlp,.reg,.tmp,.lnk,.scf,.sdb,.url,vba,.vbs,.vbe,.jnlp,.ppt,.pptx,.swf">MD5,SHA1,SHA256</add>
        <omit SizeGT="10M">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Authenticode,TimeStamp,AuthenticodeStatus,AuthenticodeCA</omit>
        <add HasPE="">AuthenticodeCA,AuthenticodeStatus,MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Authenticode,TimeStamp</add>
   </columns>
</ntfsinfo>

NTFSINFO log:

NTFSInfo v10.0.16
NTFS File system enumeration
ERROR (Paramètre incorrec, hr=0x80070057): Ignored criteria SizeLT, critera already defined

Start time            : 12/01/2020 19:15:46.384 (UTC)

Computer              : MSEDGEWIN10
Operating System      : Microsoft Windows 10  (build 17763), 64-bit

Walker used           : MFT
FileInfo archive      : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z (encoding=UTF8)
AttrInfo              : Empty
I30Info  archive      : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z (encoding=UTF8)
Timeline              : Empty
SecDescr archive      : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z (encoding=UTF8)

CSV Columns           :

    ComputerName VolumeID File 
    ParentName FullName Extension 
    SizeInBytes Attributes CreationDate 
    LastModificationDate LastAccessDate LastAttrChangeDate 
    FileNameCreationDate FileNameLastModificationDate FileNameLastAccessDate 
    FileNameLastAttrModificationDate USN FRN 
    ParentFRN ExtendedAttribute ADS 
    FilenameID DataID RecordInUse 
    MD5 SHA1 FirstBytes 
    OwnerId ProductName OriginalFileName 
    TimeStamp FilenameFlags SHA256 
    PeSHA1 PeSHA256 SecDescrID 
    AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint 
    AuthenticodeCA AuthenticodeCAThumbprint PeMD5 
    FilenameIndex DataIndex SnapshotID 
    SignedHash 

Default columns       :

    ComputerName VolumeID File 
    ParentName FullName Extension 
    SizeInBytes Attributes CreationDate 
    LastModificationDate LastAccessDate LastAttrChangeDate 
    FileNameCreationDate FileNameLastModificationDate FileNameLastAccessDate 
    FileNameLastAttrModificationDate USN FRN 
    ParentFRN ExtendedAttribute ADS 
    FilenameID DataID RecordInUse 
    FirstBytes OwnerId ProductName 
    OriginalFileName FilenameFlags SecDescrID 
    FilenameIndex DataIndex SnapshotID 

Filters:

    if file is smaller than 10485760 bytes include columns: 

        MD5 SHA1 SHA256 

    if file has valid PE header include columns: 

        MD5 SHA1 TimeStamp 
        SHA256 PeSHA1 PeSHA256 
        AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint 
        AuthenticodeCA AuthenticodeCAThumbprint PeMD5 
        SignedHash 

    if file is bigger than 10485760 bytes  exclude columns: 

        MD5 SHA1 TimeStamp 
        SHA256 PeSHA1 PeSHA256 
        AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint 
        AuthenticodeCA AuthenticodeCAThumbprint PeMD5 
        SignedHash 

Volumes, Folders to parse:
    DiskInterfaceVolume   : \\.\SCSI#Disk&Ven_QEMU&Prod_HARDDISK#4&2749002f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},offset=1048576,size=42947575808,sector=512 - NTFS - Valid (serial : 0xa8b4a72fb4a6fec6) *
 "C:\" 
    "\windows\system32" 

Parsing \\.\SCSI#Disk&Ven_QEMU&Prod_HARDDISK#4&2749002f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},offset=1048576,size=42947575808,sector=512: "C:\" 
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z started
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z started
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z started
ERROR (hr=0x90090006): Failed to fixup $INDEX_ALLOCATION header
ERROR (hr=0x90090006): Failed to read from $INDEX_ALLOCATION
.................................................
.............................................. Done!

WARNING: Heap still maintains 78 entries
Archive: File NTFSInfo_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File I30Info_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File SecDescr_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File volstats.csv added
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z is complete
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z is complete
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z is complete

Lines processed       : 26341
Finish time           : 12/01/2020 19:21:47.767 (UTC)
Elapsed time          : 6 min(s), 1 sec(s), 391 msecs

Information           : 3 errors occurred during program execution

I copy result on sethc.exe file (below).

"c:\windows\system32\sethc.exe","Signed","23:22 14/09/2018","Microsoft Windows","Microsoft Corporation","Accessibility shortcut keys","Microsoft� Windows� Operating System","10.0.17763.1","10.0.17763.1 (WinBuild.160101.0800)","64-bit","10.0.17763.1","sethc.exe","sethc.exe","� Microsoft Corporation. All rights reserved.","n/a","6.858","F00FAB17E7FE21D930AA4A6CABD2381F","F8DF7CD7482FCF621924C97BBB44DF380CC612BB","1B79622D2009F259A2197E4B66DDF43121F8DB3F","A9BBDBB6038AB7CDB3E52BE9477526818AA9E2183C22C8CB2201548717E222F1","746D48A2FC0198E20C6ABCB301ED5C0FFEBDE33D0C0C890044EC98C9EE5E21EC","3C1A53A9971C1924A1A24E822BFFC8E3"
"MSEDGEWIN10",0xA8B4A72FB4A6FEC6,"sethc.exe","\Windows\System32\","\Windows\System32\sethc.exe",".exe",299520,"A....N.......",2018-09-15 07:28:43.201,2018-09-15 07:28:43.201,2020-12-01 17:17:01.549,2019-03-19 19:41:55.255,2019-03-19 19:41:55.238,2019-03-19 19:41:55.255,2019-03-19 19:41:55.238,2019-03-19 19:41:55.255,0x0000000000000000,0x0001000000009DDA,0x0001000000000DC3,"$CI.CATALOGHINT;",,5,4,Y,,F00FAB17E7FE21D930AA4A6CABD2381F,F8DF7CD7482FCF621924C97BBB44DF380CC612BB,4D5A90000300000004000000FFFF0000,0,,,,,,,,2100-06-05 01:47:25.000,,,,0,746D48A2FC0198E20C6ABCB301ED5C0FFEBDE33D0C0C890044EC98C9EE5E21EC,1B79622D2009F259A2197E4B66DDF43121F8DB3F,A9BBDBB6038AB7CDB3E52BE9477526818AA9E2183C22C8CB2201548717E222F1,456,,,CatalogSignedVerified,"Microsoft Windows","ae9c1ae54763822eec42474983d8b635116c8452","Microsoft Root Certificate Authority 2010","3b1efd3a66ea28b16697394703a72ca340a05bd5",89ADFB6E88C52B80F42DB3780ADAF259,1,0,{00000000-0000-0000-0000-000000000000},,,,,

Please, can you fix this problem.

Thanks.

fabienfl-orc commented 2 years ago

Hello, are you still able to reproduce this with recent version ? Thank you

lprat commented 2 years ago

Sorry for this! It's work weel since new version! I close it