mft parser: use orphaned $FILE_NAME attributes of attribute list MFT entries for path reconstruction

[harelsegev]

Description of problem: Consider this scenario that I created on a test image:

1. \Folder1 is created (file reference: 38-1)
2. \Folder1\File1.txt is created (file reference: 42-1)
3. The $FILE_NAME attribute of \Folder1 is moved to an extension record (extension record reference: 43-1)
4. \Folder1 is deleted
5. \File2.txt is created (file reference: 38-2)

File1.txt is now orphan, because the record of Folder1 was reused (path hint: $Orphan\File1.txt)

Observations:

• The record at index 42 still describes File1.txt

  • The parent file reference in the $FILE_NAME attribute is 38-1
  • This reference is invalid

• There's an extension record at MFT index 43

  • Its base record reference is also 38-1!
  • It has a $FILE_NAME attribute inside it

Because these 2 references match, This extension record belonged to the parent of File1.txt Therefore, the $FILE_NAME attribute inside it can be used to reconstruct the full path of File1.txt - \Folder1\File1.txt

I haven't seen any MFT parser that is able to reconstruct the path this way. Is there a reason not to do this?

Command line and arguments:

log2timeline.py --parsers mft --storage-file storage.plaso ./Evidence psort.py -o dynamic -w timeline.csv storage.plaso

Source data:

I used plaso against this MFT file: $MFT.zip

Here is the full disk image: image.zip

Plaso version:

20210606

Operating system Plaso is running on:

Ubuntu 20.04.3

Installation method:

• installed from [GiFT PPA][https://launchpad.net/~gift] stable track

[joachimmetz]

I haven't seen any MFT parser that is able to reconstruct the path this way. Is there a reason not to do this?

Interesting observations and edge case.

As I indicated in https://osdfir.blogspot.com/2020/04/parsing-mft-ntfs-metadata-file.html "Full path reconstruction is an approximation". My guess why most parsers don't this is because it might not be a common or previously observed scenario (not sure). If you have means to reproduce the scenario pro-grammatically I recommend to add it to https://github.com/dfirlabs/ntfs-specimens.

But at first glance, I see no obvious reason why the MFT entry: 43 could not be used in the determination of the path hints.

MFT entry: 38 information:
        Is allocated                    : true
        File reference                  : 38-2
        Base record file reference      : Not set (0)
        Journal sequence number         : 1094537
        Number of attributes            : 4

Attribute: 1
        Type                            : $STANDARD_INFORMATION (0x00000010)
        Creation time                   : Sep 24, 2021 14:37:31.760882100 UTC
        Modification time               : Sep 24, 2021 14:37:40.868469900 UTC
        Access time                     : Sep 24, 2021 14:37:40.872403200 UTC
        Entry modification time         : Sep 24, 2021 14:37:40.868469900 UTC
        Owner identifier                : 0
        Security descriptor identifier  : 268
        Update sequence number          : 0
        File attribute flags            : 0x00000020
                Should be archived (FILE_ATTRIBUTE_ARCHIVE)

Attribute: 2
        Type                            : $FILE_NAME (0x00000030)
        Parent file reference           : 5-5
        Creation time                   : Sep 24, 2021 14:37:31.760882100 UTC
        Modification time               : Sep 24, 2021 14:37:31.760882100 UTC
        Access time                     : Sep 24, 2021 14:37:31.760882100 UTC
        Entry modification time         : Sep 24, 2021 14:37:31.760882100 UTC
        File attribute flags            : 0x00000020
                Should be archived (FILE_ATTRIBUTE_ARCHIVE)
        Name space                      : POSIX (0)
        Name                            : File2.txt
        Path hint                       : \File2.txt

Attribute: 3
        Type                            : $OBJECT_ID (0x00000040)
        Droid file identifier           : 36ac4732-1d20-11ec-9c3c-d017c29aac48

Attribute: 4
        Type                            : $DATA (0x00000080)
        Data size                       : 8 bytes
        Data flags                      : 0x0000

MFT entry: 42 information:
        Is allocated                    : false
        File reference                  : 42-2
        Base record file reference      : Not set (0)
        Journal sequence number         : 1092454
        Number of attributes            : 4

Attribute: 1
        Type                            : $STANDARD_INFORMATION (0x00000010)
        Creation time                   : Sep 24, 2021 14:05:20.789515000 UTC
        Modification time               : Sep 24, 2021 14:08:14.879550100 UTC
        Access time                     : Sep 24, 2021 14:08:18.538968300 UTC
        Entry modification time         : Sep 24, 2021 14:08:14.879550100 UTC
        Owner identifier                : 0
        Security descriptor identifier  : 268
        Update sequence number          : 0
        File attribute flags            : 0x00000020
                Should be archived (FILE_ATTRIBUTE_ARCHIVE)

Attribute: 2
        Type                            : $FILE_NAME (0x00000030)
        Parent file reference           : 38-1
        Creation time                   : Sep 24, 2021 14:05:20.789515000 UTC
        Modification time               : Sep 24, 2021 14:05:20.789515000 UTC
        Access time                     : Sep 24, 2021 14:05:20.789515000 UTC
        Entry modification time         : Sep 24, 2021 14:05:20.789515000 UTC
        File attribute flags            : 0x00000020
                Should be archived (FILE_ATTRIBUTE_ARCHIVE)
        Name space                      : POSIX (0)
        Name                            : File1.txt
        Path hint                       : $Orphan\File1.txt

Attribute: 3
        Type                            : $OBJECT_ID (0x00000040)
        Droid file identifier           : 36ac455b-1d20-11ec-9c3c-d017c29aac48

Attribute: 4
        Type                            : $DATA (0x00000080)
        Data size                       : 8 bytes
        Data flags                      : 0x0000

MFT entry: 43 information:
        Is allocated                    : false
        File reference                  : 43-2
        Base record file reference      : 38-1
        Journal sequence number         : 1092562
        Number of attributes            : 14

Attribute: 1
        Type                            : $FILE_NAME (0x00000030)
        Parent file reference           : 5-5
        Creation time                   : Sep 24, 2021 14:03:43.755965400 UTC
        Modification time               : Sep 24, 2021 14:03:43.755965400 UTC
        Access time                     : Sep 24, 2021 14:03:43.755965400 UTC
        Entry modification time         : Sep 24, 2021 14:03:43.755965400 UTC
        File attribute flags            : 0x10000000
                Unknown (0x10000000)
        Name space                      : POSIX (0)
        Name                            : Folder1
        Path hint                       : \Folder1

Attribute: 2
        Type                            : $OBJECT_ID (0x00000040)
        Droid file identifier           : 36ac454e-1d20-11ec-9c3c-d017c29aac48

[joachimmetz]

Blocked on work on https://github.com/libyal/libfsntfs/issues/29

[harelsegev]

your post (https://osdfir.blogspot.com/2020/04/parsing-mft-ntfs-metadata-file.html) is what inspired me to look for edge cases in the first place! I'm glad I can help, even just a little bit.

[joachimmetz]

good to hear, thx for looking for additional ones and sharing