startbootstrap
startbootstrap copied to clipboard
BlackrockDigital
mft parser: use orphaned $FILE_NAME attributes of attribute list MFT entries for path reconstruction
Description of problem: Consider this scenario that I created on a test image:
- \Folder1 is created (file reference: 38-1)
- \Folder1\File1.txt is created (file reference: 42-1)
- The $FILE_NAME attribute of \Folder1 is moved to an extension record (extension record reference: 43-1)
- \Folder1 is deleted
- \File2.txt is created (file reference: 38-2)
File1.txt is now orphan, because the record of Folder1 was reused (path hint: $Orphan\File1.txt)
Observations:
-
The record at index 42 still describes File1.txt
- The parent file reference in the $FILE_NAME attribute is 38-1
- This reference is invalid
-
There's an extension record at MFT index 43
- Its base record reference is also 38-1!
- It has a $FILE_NAME attribute inside it
Because these 2 references match, This extension record belonged to the parent of File1.txt Therefore, the $FILE_NAME attribute inside it can be used to reconstruct the full path of File1.txt - \Folder1\File1.txt
I haven't seen any MFT parser that is able to reconstruct the path this way. Is there a reason not to do this?
Command line and arguments:
log2timeline.py --parsers mft --storage-file storage.plaso ./Evidence psort.py -o dynamic -w timeline.csv storage.plaso
Source data:
I used plaso against this MFT file: $MFT.zip
Here is the full disk image: image.zip
Plaso version:
20210606
Operating system Plaso is running on:
Ubuntu 20.04.3
Installation method:
- installed from [GiFT PPA][https://launchpad.net/~gift] stable track
I haven't seen any MFT parser that is able to reconstruct the path this way. Is there a reason not to do this?
Interesting observations and edge case.
As I indicated in https://osdfir.blogspot.com/2020/04/parsing-mft-ntfs-metadata-file.html "Full path reconstruction is an approximation". My guess why most parsers don't this is because it might not be a common or previously observed scenario (not sure). If you have means to reproduce the scenario pro-grammatically I recommend to add it to https://github.com/dfirlabs/ntfs-specimens.
But at first glance, I see no obvious reason why the MFT entry: 43 could not be used in the determination of the path hints.
MFT entry: 38 information:
Is allocated : true
File reference : 38-2
Base record file reference : Not set (0)
Journal sequence number : 1094537
Number of attributes : 4
Attribute: 1
Type : $STANDARD_INFORMATION (0x00000010)
Creation time : Sep 24, 2021 14:37:31.760882100 UTC
Modification time : Sep 24, 2021 14:37:40.868469900 UTC
Access time : Sep 24, 2021 14:37:40.872403200 UTC
Entry modification time : Sep 24, 2021 14:37:40.868469900 UTC
Owner identifier : 0
Security descriptor identifier : 268
Update sequence number : 0
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Attribute: 2
Type : $FILE_NAME (0x00000030)
Parent file reference : 5-5
Creation time : Sep 24, 2021 14:37:31.760882100 UTC
Modification time : Sep 24, 2021 14:37:31.760882100 UTC
Access time : Sep 24, 2021 14:37:31.760882100 UTC
Entry modification time : Sep 24, 2021 14:37:31.760882100 UTC
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Name space : POSIX (0)
Name : File2.txt
Path hint : \File2.txt
Attribute: 3
Type : $OBJECT_ID (0x00000040)
Droid file identifier : 36ac4732-1d20-11ec-9c3c-d017c29aac48
Attribute: 4
Type : $DATA (0x00000080)
Data size : 8 bytes
Data flags : 0x0000
MFT entry: 42 information:
Is allocated : false
File reference : 42-2
Base record file reference : Not set (0)
Journal sequence number : 1092454
Number of attributes : 4
Attribute: 1
Type : $STANDARD_INFORMATION (0x00000010)
Creation time : Sep 24, 2021 14:05:20.789515000 UTC
Modification time : Sep 24, 2021 14:08:14.879550100 UTC
Access time : Sep 24, 2021 14:08:18.538968300 UTC
Entry modification time : Sep 24, 2021 14:08:14.879550100 UTC
Owner identifier : 0
Security descriptor identifier : 268
Update sequence number : 0
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Attribute: 2
Type : $FILE_NAME (0x00000030)
Parent file reference : 38-1
Creation time : Sep 24, 2021 14:05:20.789515000 UTC
Modification time : Sep 24, 2021 14:05:20.789515000 UTC
Access time : Sep 24, 2021 14:05:20.789515000 UTC
Entry modification time : Sep 24, 2021 14:05:20.789515000 UTC
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Name space : POSIX (0)
Name : File1.txt
Path hint : $Orphan\File1.txt
Attribute: 3
Type : $OBJECT_ID (0x00000040)
Droid file identifier : 36ac455b-1d20-11ec-9c3c-d017c29aac48
Attribute: 4
Type : $DATA (0x00000080)
Data size : 8 bytes
Data flags : 0x0000
MFT entry: 43 information:
Is allocated : false
File reference : 43-2
Base record file reference : 38-1
Journal sequence number : 1092562
Number of attributes : 14
Attribute: 1
Type : $FILE_NAME (0x00000030)
Parent file reference : 5-5
Creation time : Sep 24, 2021 14:03:43.755965400 UTC
Modification time : Sep 24, 2021 14:03:43.755965400 UTC
Access time : Sep 24, 2021 14:03:43.755965400 UTC
Entry modification time : Sep 24, 2021 14:03:43.755965400 UTC
File attribute flags : 0x10000000
Unknown (0x10000000)
Name space : POSIX (0)
Name : Folder1
Path hint : \Folder1
Attribute: 2
Type : $OBJECT_ID (0x00000040)
Droid file identifier : 36ac454e-1d20-11ec-9c3c-d017c29aac48
your post (https://osdfir.blogspot.com/2020/04/parsing-mft-ntfs-metadata-file.html) is what inspired me to look for edge cases in the first place! I'm glad I can help, even just a little bit.