search

thewhiteninja / ntfstool

Forensics tool for NTFS (parser, mft, bitlocker, deleted files)
MIT License
483 stars 97 forks source link

Cannot dump $LogFile #23

Open mirh opened 1 year ago

mirh commented 1 year ago

shell disk=1 volume=3 disk1:volume3:> ls

Inode | Type | Name                      |         Size | Creation Date       | Attributes
---------------------------------------------------------------------------------------------
4 |      | $AttrDef                  |         2560 | 2021-02-18 05:45:18 | Hi Sy
8 |      | $BadClus                  |            0 | 2021-02-18 05:45:18 | Hi Sy
| ADS  |   $Bad                    | 510905020416 |                     |
6 |      | $Bitmap                   |     15591584 | 2021-02-18 05:45:18 | Hi Sy
| ADS  |   $SRAT                   |           68 |                     |
7 |      | $Boot                     |         8192 | 2021-02-18 05:45:18 | Hi Sy
11 | DIR  | $Extend                   |              | 2021-02-18 05:45:18 | Hi Sy
2 |      | $LogFile                  |     67108864 | 2021-02-18 05:45:18 | Hi Sy
0 |      | $MFT                      |   2073034752 | 2021-02-18 05:45:18 | Hi Sy
1 |      | $MFTMirr                  |         4096 | 2021-02-18 05:45:18 | Hi Sy
4502 | DIR  | $Recycle.Bin              |              | 2019-12-07 10:14:52 | Hi Sy
9 |      | $Secure                   |            0 | 2021-02-18 05:45:18 | Hi Sy
10 |      | $UpCase                   |       131072 | 2021-02-18 05:45:18 | Hi Sy
| ADS  |   $Info                   |           32 |                     |
3 |      | $Volume                   |            0 | 2021-02-18 05:45:18 | Hi Sy
154204 | DIR  | $WINDOWS.~BT              |              | 2021-11-02 22:52:59 |
50617 | DIR  | $Windows.~WS              |              | 2022-02-06 19:18:00 | Hi Ni
156 | DIR  | $WinREAgent               |              | 2023-01-10 22:38:03 | Hi

mft.record disk=1 volume=3


MFT (inode:0) for \\.\PhysicalDrive1 > Volume:3
-----------------------------------------------

Signature : FILE Update Offset : 48 Update Number : 3 $LogFile LSN : 305819962804 Sequence Number : 1 Hardlink Count : 1 Attribute Offset : 56 Flags : In use Real Size : 888 Allocated Size : 1024 Base File Record : 0000000000000000h Next Attribute ID : 13 MFT Record Index : 0 Update Seq Number : 1714 Update Seq Array : 01150000

Attributes:

+-------------------------------------------------------------------------------------------------------------+ Id Type Non-resident Length Overview +-------------------------------------------------------------------------------------------------------------+ 1 $STANDARD_INFORMATION False 72 File Created Time : 2021-02-18 05:45:18 Raw address: 0000c0000050h Last File Write Time : 2021-02-18 05:45:18 FileRecord Changed Time : 2021-02-18 05:45:18 Last Access Time : 2021-02-18 05:45:18 Permissions : read_only : 0 hidden : 1 system : 1 device : 0 normal : 0 temporary : 0 sparse : 0 reparse_point : 0 compressed : 0 offline : 0 not_indexed : 0 encrypted : 0 Max Number of Versions : 0 Version Number : 0 +-------------------------------------------------------------------------------------------------------------+ 2 $FILE_NAME False 74 Parent Dir Record Index : 5 Raw address: 0000c00000b0h Parent Dir Sequence Num : 5 File Created Time : 2021-02-18 05:45:18 Last File Write Time : 2021-02-18 05:45:18 FileRecord Changed Time : 2021-02-18 05:45:18 Last Access Time : 2021-02-18 05:45:18 Allocated Size : 1417412608 Real Size : 1417412608
NameType : DOS & WIN32
Name : $MFT
+-------------------------------------------------------------------------------------------------------------+ 3 $DATA True 2073034752 Size: 2073034752 (1.93 GiB) Raw address: 0000c0000140h Dataruns: Length: 0000c820 Offset: 000c0000 Length: 000053a3 Offset: 00adb375 Length: 000035fe Offset: 0055d48a Length: 0000323f Offset: 0103745c Length: 0000c819 Offset: 01e90c48 Length: 0000c819 Offset: 06379147 Length: 000027ce Offset: 05391ba4 Length: 0000a4d4 Offset: 07122acc Length: 000063f4 Offset: 04255ee4 Length: 00000a8e Offset: 06c65c0c Length: 000001ad Offset: 051b2127 Length: 0000cbf2 Offset: 07166c3c Length: 00002d83 Offset: 05db27f9 Length: 0000406d Offset: 073cd633 Length: 00000e97 Offset: 041df470 Length: 00000e89 Offset: 06f2dbb7 Length: 00000de1 Offset: 03cc3927 Length: 00000db5 Offset: 00466aaf Length: 00000dab Offset: 041a0cd9 Length: 00000f95 Offset: 07315b99 Length: 00004aa8 Offset: 01250b40 Length: 00000ab8 Offset: 0550d6b6 Length: 00000595 Offset: 012cc194 Length: 000004b4 Offset: 07209d68 Length: 000004ad Offset: 02fa5c78 Length: 00000490 Offset: 01c4dde0 Length: 00001c84 Offset: 02dac5a1 Length: 00001d1a Offset: 04d84ea5 Length: 00001264 Offset: 051c21b8 Length: 0000003d Offset: 016a5e21 Length: 0000079c Offset: 016a2164 Length: 00002468 Offset: 0561ec80 Length: 0000376a Offset: 04e83dd8 Length: 00002b63 Offset: 05f1e700 Length: 0000279c Offset: 019bcf80 Length: 0000279f Offset: 0477d34c Length: 00002fa3 Offset: 0707668c Length: 00001551 Offset: 00dcbde8
Virtual size: 0 (0.00 byte)
Real size : 2073034752 (1.93 GiB)

+-------------------------------------------------------------------------------------------------------------+ | 4 | $BITMAP | True | 254944 | Index Node Used : 1752184 | | | Raw address: 0000c0000290h | | | | +-------------------------------------------------------------------------------------------------------------+

But last but not least
>  logfile.dump disk=1 volume=3 output=log.log format=raw

LogFile from \.\PhysicalDrive1 > Volume:3

[+] Opening \?\Volume{3de295f9-1d5e-4f1d-bbce-fb5e97329559}\ [+] Reading $LogFile record [+] $LogFile size : 64.00 MiBs [+] Creating log.log [!] Unable to find corresponding $DATA attribute [+] Processing data: 0.00 byte[+] Closing volume

[+] Closing volume