NTFS File System Parsing

[pjrinaldi]

Implement manual NTFS file system parsing

[pjrinaldi]

ntfs parsing is working... implemented a paradigm where all teh attributes are children of the parent file. it's nifty, but i currently have the main file be the MFT record, which isn't useful per se to doing forensics. So i need to make the actual file the file contents and then include the MFT record as an attribute during the attribute loop...

this way i get the content of the data/index30 for the file as well as the correct category/signature but the more detailed extra features to a file are included as well...

The other option is to throw these extra attributes into the file's properties, but I like the extra attributes...

The other issue with the extra attributes is there is no way to determine if there are ads or children in the directory without checking every directory....

a cool idea, but will probably scrap for a more traditional approach...

then i need to implement oprhan's and ntfs is done.

[pjrinaldi]

fixed NTFS and put it back to a more normal approach and similar to what i had last time with using the tsk.

handle reparse points and find the security info for a file so i can add it to the properties.

Then i need to figure out orphans.

[pjrinaldi]

Just about got all the alternate streams working for ntfs and added correctly. still need to implement deleted recovered, orphans, and additional properties/attributes.

[pjrinaldi]

ads working, orphan and deleted recovered from mft working...

issues with index allocation parsing for deleted/orphan entries. it doesn't process index alloc properly if i don't qdebug curpos.

[pjrinaldi]

Fixed index allocation parsing. it works correctly now.

For deleted files found in the index allocation, I get duplicates that still exist or duplicate deletes...

will need to work on:

1. some check for this to reduce my numbers. but it works for now.
2. ntfs file properties

[pjrinaldi]

added ntfs file properties. need to implement:

add other attributes to the ParseMFT() function for other attributes or alternate streams also need to look and see if i want to reduce the duplicates that still exist (see what the sleuthkit does and decide from there)

[pjrinaldi]

simple ntfs parsing is currently working

[pjrinaldi]

parsing the ntfs volume properties is working. starting to implement parsing the ntfs directories/files next.

[pjrinaldi]

making progress on parsing the current directory...

[pjrinaldi]

got children listed, need to get the propreties/file item values for each child file to populate the tree and write to the files.

[pjrinaldi]

working on getting properties for child files/directories. making progress. need to compare what i am collecting with the property template so it get's stored in the right order.

[pjrinaldi]

1. need to capture $INDEX_ROOT 0x90 ads's for files.
2. need to record the child FileItem and its properties in order and then also record the ads file and how to write it to a file so it is displayed in the table properly.

[pjrinaldi]

working on implementing all ntfs mft entry attribute types, then i will work on the best way to collect all the values from the attributes and populate the file items in the tree, ads items, and properties. Might just want to put the ads items into properties file or put them into the tree after the fileitem they belong to referenced as filename:adsname, but i will need to figure out to store them in the file system. if i do properties which might make more sense, i will need to figure out how to store them in the properties since they would be an unknown count. Maybe as Alternate Data Streams, underline it and then put them all below and block them off with a blank space between them and always put the ADS last since the properties window is a textview and not a table view.

maybe make it a different function which appends the ads values to the properties view or something similar or just add them to the properties string.

[pjrinaldi]

working on more ntfs attributes, cleaned up objectid attribute. need to work on security descriptor with the secure file, and then take all that data and put into the fileitem and properties and populate the file system.

[pjrinaldi]

started populating data for file items and populating the file system.

Current issues:

• changed time sometimes populates and sometimes doesn't.
• logicalsize/physicalsize/layout/cat/sig/size/layout loop for the main file and the ads property. need to move it into the file only property so it skips the ads properties. then i need to figure out how to handle ads.
• still need to do security descriptor
• objectid and security id aren't showing up as properties, need to fix that. I might not be calling the objectid function in both indexroot and indexalloc place.
• need to populate pure directory information when there is no data attribute.