Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mft parser: use orphaned $FILE_NAME attributes of attribute list MFT entries for path reconstruction #3840

Open
harelsegev opened this issue Sep 24, 2021 · 4 comments
Open

mft parser: use orphaned $FILE_NAME attributes of attribute list MFT entries for path reconstruction #3840

harelsegev opened this issue Sep 24, 2021 · 4 comments
Assignees
@joachimmetz
Labels
blocked Work cannot progress until another issue is resolved dependency Issues related to, or caused by a dependency enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins

Comments

@harelsegev
Copy link

Description of problem:
Consider this scenario that I created on a test image:

  1. \Folder1 is created (file reference: 38-1)
  2. \Folder1\File1.txt is created (file reference: 42-1)
  3. The $FILE_NAME attribute of \Folder1 is moved to an extension record (extension record reference: 43-1)
  4. \Folder1 is deleted
  5. \File2.txt is created (file reference: 38-2)

File1.txt is now orphan, because the record of Folder1 was reused (path hint: $Orphan\File1.txt)

Observations:

  • The record at index 42 still describes File1.txt

    • The parent file reference in the $FILE_NAME attribute is 38-1
    • This reference is invalid

  • There's an extension record at MFT index 43

    • Its base record reference is also 38-1!
    • It has a $FILE_NAME attribute inside it

Because these 2 references match, This extension record belonged to the parent of File1.txt
Therefore, the $FILE_NAME attribute inside it can be used to reconstruct the full path of File1.txt -
\Folder1\File1.txt

I haven't seen any MFT parser that is able to reconstruct the path this way. Is there a reason not to do this?

Command line and arguments:

log2timeline.py --parsers mft --storage-file storage.plaso ./Evidence
psort.py -o dynamic -w timeline.csv storage.plaso

Source data:

I used plaso against this MFT file:
$MFT.zip

Here is the full disk image:
image.zip

Plaso version:

20210606

Operating system Plaso is running on:

Ubuntu 20.04.3

Installation method:

  • installed from [GiFT PPA][https://launchpad.net/~gift] stable track
@joachimmetz
Copy link
Member

joachimmetz commented Sep 24, 2021
edited
Loading

I haven't seen any MFT parser that is able to reconstruct the path this way. Is there a reason not to do this?

Interesting observations and edge case.

As I indicated in https://osdfir.blogspot.com/2020/04/parsing-mft-ntfs-metadata-file.html "Full path reconstruction is an approximation". My guess why most parsers don't this is because it might not be a common or previously observed scenario (not sure). If you have means to reproduce the scenario pro-grammatically I recommend to add it to https://github.com/dfirlabs/ntfs-specimens.

But at first glance, I see no obvious reason why the MFT entry: 43 could not be used in the determination of the path hints.

MFT entry: 38 information:
        Is allocated                    : true
        File reference                  : 38-2
        Base record file reference      : Not set (0)
        Journal sequence number         : 1094537
        Number of attributes            : 4

Attribute: 1
        Type                            : $STANDARD_INFORMATION (0x00000010)
        Creation time                   : Sep 24, 2021 14:37:31.760882100 UTC
        Modification time               : Sep 24, 2021 14:37:40.868469900 UTC
        Access time                     : Sep 24, 2021 14:37:40.872403200 UTC
        Entry modification time         : Sep 24, 2021 14:37:40.868469900 UTC
        Owner identifier                : 0
        Security descriptor identifier  : 268
        Update sequence number          : 0
        File attribute flags            : 0x00000020
                Should be archived (FILE_ATTRIBUTE_ARCHIVE)

Attribute: 2
        Type                            : $FILE_NAME (0x00000030)
        Parent file reference           : 5-5
        Creation time                   : Sep 24, 2021 14:37:31.760882100 UTC
        Modification time               : Sep 24, 2021 14:37:31.760882100 UTC
        Access time                     : Sep 24, 2021 14:37:31.760882100 UTC
        Entry modification time         : Sep 24, 2021 14:37:31.760882100 UTC
        File attribute flags            : 0x00000020
                Should be archived (FILE_ATTRIBUTE_ARCHIVE)
        Name space                      : POSIX (0)
        Name                            : File2.txt
        Path hint                       : \File2.txt

Attribute: 3
        Type                            : $OBJECT_ID (0x00000040)
        Droid file identifier           : 36ac4732-1d20-11ec-9c3c-d017c29aac48

Attribute: 4
        Type                            : $DATA (0x00000080)
        Data size                       : 8 bytes
        Data flags                      : 0x0000

MFT entry: 42 information:
        Is allocated                    : false
        File reference                  : 42-2
        Base record file reference      : Not set (0)
        Journal sequence number         : 1092454
        Number of attributes            : 4

Attribute: 1
        Type                            : $STANDARD_INFORMATION (0x00000010)
        Creation time                   : Sep 24, 2021 14:05:20.789515000 UTC
        Modification time               : Sep 24, 2021 14:08:14.879550100 UTC
        Access time                     : Sep 24, 2021 14:08:18.538968300 UTC
        Entry modification time         : Sep 24, 2021 14:08:14.879550100 UTC
        Owner identifier                : 0
        Security descriptor identifier  : 268
        Update sequence number          : 0
        File attribute flags            : 0x00000020
                Should be archived (FILE_ATTRIBUTE_ARCHIVE)

Attribute: 2
        Type                            : $FILE_NAME (0x00000030)
        Parent file reference           : 38-1
        Creation time                   : Sep 24, 2021 14:05:20.789515000 UTC
        Modification time               : Sep 24, 2021 14:05:20.789515000 UTC
        Access time                     : Sep 24, 2021 14:05:20.789515000 UTC
        Entry modification time         : Sep 24, 2021 14:05:20.789515000 UTC
        File attribute flags            : 0x00000020
                Should be archived (FILE_ATTRIBUTE_ARCHIVE)
        Name space                      : POSIX (0)
        Name                            : File1.txt
        Path hint                       : $Orphan\File1.txt

Attribute: 3
        Type                            : $OBJECT_ID (0x00000040)
        Droid file identifier           : 36ac455b-1d20-11ec-9c3c-d017c29aac48

Attribute: 4
        Type                            : $DATA (0x00000080)
        Data size                       : 8 bytes
        Data flags                      : 0x0000

MFT entry: 43 information:
        Is allocated                    : false
        File reference                  : 43-2
        Base record file reference      : 38-1
        Journal sequence number         : 1092562
        Number of attributes            : 14

Attribute: 1
        Type                            : $FILE_NAME (0x00000030)
        Parent file reference           : 5-5
        Creation time                   : Sep 24, 2021 14:03:43.755965400 UTC
        Modification time               : Sep 24, 2021 14:03:43.755965400 UTC
        Access time                     : Sep 24, 2021 14:03:43.755965400 UTC
        Entry modification time         : Sep 24, 2021 14:03:43.755965400 UTC
        File attribute flags            : 0x10000000
                Unknown (0x10000000)
        Name space                      : POSIX (0)
        Name                            : Folder1
        Path hint                       : \Folder1

Attribute: 2
        Type                            : $OBJECT_ID (0x00000040)
        Droid file identifier           : 36ac454e-1d20-11ec-9c3c-d017c29aac48

@joachimmetz joachimmetz self-assigned this Sep 24, 2021
@joachimmetz joachimmetz added dependency Issues related to, or caused by a dependency enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins labels Sep 24, 2021
@joachimmetz joachimmetz mentioned this issue Sep 24, 2021
Open
@joachimmetz joachimmetz added the blocked Work cannot progress until another issue is resolved label Sep 24, 2021
@joachimmetz
Copy link
Member

Blocked on work on libyal/libfsntfs#29

@joachimmetz joachimmetz changed the title mft parser: $FILE_NAME attributes in $ATTRIBUTE_LIST are not used to reconstruct paths if the base record is reused mft parser: use orphaned $FILE_NAME attributes of attribute list MFT entries for path reconstruction Sep 24, 2021
@harelsegev harelsegev mentioned this issue Sep 24, 2021
Closed
@harelsegev
Copy link
Author

your post (https://osdfir.blogspot.com/2020/04/parsing-mft-ntfs-metadata-file.html) is what inspired me to look for edge cases in the first place! I'm glad I can help, even just a little bit.

@joachimmetz
Copy link
Member

good to hear, thx for looking for additional ones and sharing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
blocked Work cannot progress until another issue is resolved dependency Issues related to, or caused by a dependency enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joachimmetz @harelsegev