MFT entry: fix up values make incorrect assumption

rowingdude / analyzeMFT

MIT License

423 stars 117 forks source link

MFT entry: fix up values make incorrect assumption #31

Closed joachimmetz closed 9 years ago

joachimmetz commented 9 years ago

https://github.com/dkovar/analyzeMFT/blob/master/analyzemft/mft.py#L474

    record['seq_attr1'] = raw_record[50:52]  # Sequence attribute for sector 1
    record['seq_attr2'] = raw_record[52:54]  # Sequence attribuet for sector 2

For MFT entries where the fixup value offset is 42 (for now seen in NTFS versions before 3.0) this should be:

    record['seq_attr1'] = raw_record[44:46]  # Sequence attribute for sector 1
    record['seq_attr2'] = raw_record[46:48]  # Sequence attribuet for sector 2

Also you likely want to fix the typo in attribuet

Also see: https://github.com/libyal/libfsntfs/blob/master/documentation/New%20Technologies%20File%20System%20(NTFS).asciidoc#mft-entry-header

dkovar commented 9 years ago

Good morning,

Thank you for catching this, and for providing a fix AND documentation. Much appreciated.

-David

joachimmetz commented 9 years ago

Noprob, however you closed the issue but did not fix the issue reported. To be verbose this wasn't a pull request (or change list) just an issue (bug report).

dkovar commented 9 years ago

Greetings,

I changed the lines to:

record['seq_attr1'] = raw_record[44:46]  # Sequence attribute for sector 1
record['seq_attr2'] = raw_record[46:48]  # Sequence attribute for sector 2

And spelled "attribute" correctly.

Was there a different change that should have been made?

-David

joachimmetz commented 9 years ago

Was there a different change that should have been made?

The commit history does not reflect your changes so I was wondering about them. Did you push the changes upstream?

dkovar commented 9 years ago

Greetings,

Wow, I've not touched git in awhile. I failed to do the commit correctly. Fixed now. Thanks!

-David

joachimmetz commented 9 years ago

Thanks I see them now, maybe I was not verbose enough but the code should be:

if record['upd_off'] == 42:
    record['seq_number'] = raw_record[42:44]  # Sequence number
    record['seq_attr1'] = raw_record[44:46]  # Sequence attribute for sector 1
    record['seq_attr2'] = raw_record[46:58]  # Sequence attribute for sector 2
else:
    record['f1'] = raw_record[42:44]                            # Padding
    record['recordnum'] = struct.unpack("<I", raw_record[44:48])[0]  # Number of this MFT Record
    record['seq_number'] = raw_record[48:50]  # Sequence number
    record['seq_attr1'] = raw_record[50:52]  # Sequence attribute for sector 1
    record['seq_attr2'] = raw_record[52:54]  # Sequence attribute for sector 2

Also note that recordnum only appears to exists in version 3.1 and not in 3.0

dkovar commented 9 years ago

I was having a very distracted weekend .....

joachimmetz commented 9 years ago

no worries, just making sure this gets correctly fixed (as possible form the disk format POV)