velociraptor icon indicating copy to clipboard operation
velociraptor copied to clipboard

Published 20 hours ago verified publisher icon Velocidex

Permission attributes in MFT record

Open gdms04 opened this issue 2 years ago • 3 comments

From the artifact [Windows.NTFS.MFT], we observed that the columns are set. I would like to include permission attributes of a MFT entry as well (You may refer to below screenshot for reference). May I ask for the column name(s) for this attribute? and where can I find the relevant documentation for my reference? Thanks!

image

gdms04 avatar Apr 01 '22 12:04 gdms04

In NTFS parsing permissions involves parsing the $Secure MFT entry. This is not yet implemented but an example of such a thing is here https://github.com/jschicht/Secure2Csv/blob/master/Secure2Csv.au3

It is probably a good idea to implement this.

scudette avatar Apr 04 '22 05:04 scudette

i see, thx!

gdms04 avatar Apr 04 '22 06:04 gdms04

FYI you can use Windows.Triage.SDS to collect this stream.

scudette avatar Apr 04 '22 08:04 scudette