search

rowingdude / analyzeMFT

MIT License
423 stars 117 forks source link

Unable to handle $FILE_NAME attributes stored in $ATTRIBUTE_LIST #56

Open joachimmetz opened 4 years ago

joachimmetz commented 4 years ago

https://github.com/dfirlabs/ntfs-specimens/blob/master/generate-specimens-behavior.bat#L282

The ntfs_file_name_list.vhd image contains an MFT entry with $FILE_NAME attributes stored in an $ATTRIBUTE_LIST. Rough outline of the file system hierarchy.

testdir1
testdir1\testfile1
testdir10
testdir10\hardlink9
testdir11
testdir11\hardlink10
testdir12
testdir12\hardlink11
testdir13
testdir13\hardlink12
testdir14
testdir14\hardlink13
testdir15
testdir15\hardlink14
testdir16
testdir16\hardlink15
testdir2
testdir2\hardlink1
testdir3
testdir3\hardlink2
testdir4
testdir4\hardlink3
testdir5
testdir5\hardlink4
testdir6
testdir6\hardlink5
testdir7
testdir7\hardlink6
testdir8
testdir8\hardlink7
testdir9
testdir9\hardlink8

The MFT entry based on the full file system

istat -o 128 ntfs_file_name_list.vhd 38

MFT Entry Header Values:
Entry: 38        Sequence: 1
$LogFile Sequence Number: 1081061
Allocated File
Links: 16

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 264  ()
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.276667100 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: testfile1
Parent MFT Entry: 37    Sequence: 1
Allocated Size: 0       Actual Size: 0
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.138610600 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink1
Parent MFT Entry: 39    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.145124900 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink15
Parent MFT Entry: 55    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.276667100 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink2
Parent MFT Entry: 40    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.145124900 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink3
Parent MFT Entry: 41    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.160776400 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink4
Parent MFT Entry: 42    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.176391600 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink5
Parent MFT Entry: 43    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.176391600 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink6
Parent MFT Entry: 44    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.192022000 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink7
Parent MFT Entry: 45    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.207641500 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink8
Parent MFT Entry: 47    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.207641500 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink9
Parent MFT Entry: 48    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.223263600 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink10
Parent MFT Entry: 49    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.223263600 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink11
Parent MFT Entry: 50    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.238888400 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink12
Parent MFT Entry: 52    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.245402800 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink13
Parent MFT Entry: 53    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.245402800 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$FILE_NAME Attribute Values:
Flags: Archive
Name: hardlink14
Parent MFT Entry: 54    Sequence: 1
Allocated Size: 16      Actual Size: 14
Created:    2020-02-01 10:48:46.138610600 (CET)
File Modified:  2020-02-01 10:48:46.138610600 (CET)
MFT Modified:   2020-02-01 10:48:46.261038600 (CET)
Accessed:   2020-02-01 10:48:46.138610600 (CET)

$ATTRIBUTE_LIST Attribute Values:
Type: 16-0  MFT Entry: 38   VCN: 0
Type: 48-2  MFT Entry: 38   VCN: 0
Type: 48-3  MFT Entry: 38   VCN: 0
Type: 48-0  MFT Entry: 46   VCN: 0
Type: 48-1  MFT Entry: 46   VCN: 0
Type: 48-2  MFT Entry: 46   VCN: 0
Type: 48-3  MFT Entry: 46   VCN: 0
Type: 48-4  MFT Entry: 46   VCN: 0
Type: 48-0  MFT Entry: 51   VCN: 0
Type: 48-1  MFT Entry: 51   VCN: 0
Type: 48-2  MFT Entry: 51   VCN: 0
Type: 48-3  MFT Entry: 51   VCN: 0
Type: 48-0  MFT Entry: 56   VCN: 0
Type: 48-1  MFT Entry: 56   VCN: 0
Type: 48-2  MFT Entry: 56   VCN: 0
Type: 48-3  MFT Entry: 56   VCN: 0
Type: 48-19     MFT Entry: 38   VCN: 0
Type: 128-5     MFT Entry: 46   VCN: 0

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $ATTRIBUTE_LIST (32-12)   Name: N/A   Non-Resident   size: 576  init_size: 576
55 
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-19)   Name: N/A   Resident   size: 86
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 84
Type: $DATA (128-20)   Name: N/A   Resident   size: 14
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 84
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 86
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 86
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 86
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 86
Type: $FILE_NAME (48-0)   Name: N/A   Resident   size: 8

analyzeMFT.py is unable to reconstruct the $ATTRIBUTE_LIST, which should be possible based on the base record file reference.

analyzeMFT.py -f MFT.bin -b bodyfile --bodyfull

grep hardlink bodyfile
0|/testdir1/hardlink15|0|0|0|0|0|1580550526|1580550526|1580550526|1580550526
0|/testdir3/hardlink6|0|0|0|0|14|1580550526|1580550526|1580550526|1580550526
0|/testdir8/hardlink10|0|0|0|0|14|1580550526|1580550526|1580550526|1580550526
0|/testdir12/hardlink14|0|0|0|0|14|1580550526|1580550526|1580550526|1580550526