joachimmetz
commented
5 years ago @mikebbt do you have an example?
Closed mikebbt closed 5 years ago
joachimmetz
commented
5 years ago @mikebbt do you have an example?
mikebbt
commented
5 years ago Sample below with three image files (IMG_0003.jpg, IMG_0004.jpg & AlbumArtSmall.jpg) in it. Viewing those files in a forensic software package (no worries its only sample data) shows me that IMG_0003.jpg & IMG_0004.jpg each have 5 NTFS Access Control Entries associated with them while AlbumArtSmall.jpg has 7. If I view the L01 in a hex editor and find the "perm" section I count a total of 12 NTFS ACE entries which I think makes sense but maybe not?
If parsing the "entry" section of the L01 how does one associate the data in "perm" with these individual files, in other words how do I know IMG_0003 & 0004 each have 5 permissions and AlbumArtSmall.jpg has all 7? Can this association not be made or is there something I've missed?
mikebbt
commented
5 years ago mikebbt
commented
5 years ago Wondering if you have had a change to look at the sample?
joachimmetz
commented
5 years ago Unfortunately not, other things have priority at the moment.
mikebbt
commented
5 years ago No worries, approaching from another angle and revisiting, thanks.
mikebbt
commented
5 years ago So I've verified through another source that the "pm" item in "entry" does indeed give the ID of the permissions set that entry is associated with in "perm". In addition the permission id is implied, so first permission set in perm is ID 0, next is 1 etc.... while I have not yet tried I believe using the perm calls in libewf will allow me to get at each permission set and its subsets to then populate these items when I read an E0x/L0x file. Closing this thread.
My understanding of what is contained in the "perm" section of the ltree is that it's a list of all the unique NTFS Access Control Entries that are associated with the files contained in the L01. So for instance if an L01 contained 10 jpg files from an NTFS partition and say 6 of them each had 4 unique NTFS ACE items associated before export and the last 4 files each have 1 unique NTFS ACE item associated the resultant L01 under the "perm" section would list a total of 5 unique NTFS ACE items. If that assumption is true my question is on reading the entry section of L01 how do we know which of the "perm" items belong to which file(s) in "entry" section ?