gomft icon indicating copy to clipboard operation
gomft copied to clipboard
verified publisher icon t9t

unable to parse the buffer entry name

Open RRancio opened this issue 1 year ago • 7 comments

hello!, i've experienced some issues while trying to read the $FILE_NAME attribute, it just doesn't send me any character and remains with 0 data in the whole $MFT

C:\Users\Lucas\Documents\Golang\mfttest>main.exe C:\Users\Lucas\Downloads\MFTECmd\xd.jaja
 0
 0
 0
 0
 0
 0
 0
 0
 0
 0
 0
 0
 0
 0

package main

import (
	"errors"
	"fmt"
	"io"
	"log"
	"os"

	"github.com/t9t/gomft/mft"
)

func main() {
	f, err := os.Open(os.Args[1])
	if err != nil {
		log.Fatalln("Unable to open file", err)
	}
	defer f.Close()

	recordSize := 1024
	for {
		buf := make([]byte, recordSize)
		_, err := io.ReadFull(f, buf)
		if err != nil {
			if errors.Is(err, io.EOF) {
				break
			}
			log.Fatalln("Unable to read record data", err)
		}

		jaja, err := mft.ParseFileName(buf)
		if err != nil {
			continue
		}
		fmt.Println(jaja.Name, len(jaja.Name))

	}
}

RRancio avatar Aug 21 '24 15:08 RRancio

Thank you for opening an issue. It's been a while since I worked on this project or studied NTFS and the MFT, but I will do my best to help you out.

Can you specify what xd.jaja is exactly? Is it a dump of the MFT of an actual NTF partition? Or has some processing been performed on it already?

Unfortunately, the MFT file structure is a bit more complicated than that. The documentation of the ParseFileName function says the following:

ParseFileName parses the data of a $FILE_NAME attribute's data (type AttributeTypeFileName) into FileName. Note that no additional correctness checks are done, so it's up to the caller to ensure the passed data actually represents a $FILE_NAME attribute's data.

However, the MFT does not consist of just $FILE_NAME attributes. Assuming that xd.jaja is a dump of the MFT of an NTFS partition, it starts with "records" which each contain some metadata about special files (such as the MFT itself). They can then be used to parse the rest of MFT.

To get to the actual file, you would first have to read a record using ParseRecord, then access its Attributes finding the one with the Type of AttributeTypeFileName. That attribute's Data is the binary data called $FILE_NAME, which can be parsed using ParseFileName.

So in the loop, you would do something along the lines of this:

record, err := mft.ParseRecord(buf)
if err != nil {
	continue
}
for _, attr := range record.Attributes {
	if attr.Type == mft.AttributeTypeFileName {
		filename, err := mft.ParseFileName(attr.Data)
		if err != nil {
			panic(err)
		}
		fmt.Println(filename.Name)
		break
	}
}

If you run this on the MFT of an NTFS partition, you will see that the first few records have file name attributes like $MFT, $MFTMirr, $LogFile, etc. The special files I mentioned earlier.

Note that even then it's not that simple. When I tried to make an app to index files on an NTFS volume quickly to search through them (like the WizTree app), I found that there were many entries in the MFT that were either somehow duplicated, or entries for deleted files, or entries that just didn't make sense to me. There's a lot to NFTS and MFT that is not trivial, and you need a lot of knowledge to interpret the data.

There are some starting documents in the README: https://github.com/t9t/gomft#references

t9t avatar Aug 21 '24 19:08 t9t

IT WORKED!, sorry about the xd.jaja, it was the MFT file actually but i forgot to rename it.

also another question, does this saves the Filepath and Zone.Identifier Alternate Data Stream? im not being able to find it in the code

thank you anyways!

RRancio avatar Aug 22 '24 16:08 RRancio

I recall learning about alternate data streams, but I couldn't quite remember how they're stored. So I asked ChatGPT: https://chatgpt.com/share/2c19c6b1-b002-4259-9804-34cc718f7759

In short, the file should have multiple attributes of the type $DATA (0x80), and the Name of the Attribute should reflect what type of stream it is. If it doesn't have a name, it should be the file's contents. If it does have a name, it should be the name of the Alternate Data Stream. So in this case, you would be looking for an attribute with a Type of AttributeTypeData and a Name of Zone.Identifier.

The best way to validate this is if you have a filesystem with a file with the properties you are looking for, and finding that file and its alternate data streams in the MFT dump of that filesystem.

Unfortunately this is far as my knowledge extends, I hope it's enough to help you along!

t9t avatar Aug 22 '24 17:08 t9t

and about the filepath?, is it possible to discover by using the library?

RRancio avatar Aug 22 '24 17:08 RRancio

HELLOW?

RRancio avatar Aug 23 '24 22:08 RRancio

Hello. I created this project in my free time as a hobby project several years ago. It is provided free of charge for everyone to do with as they please. I have other things to do in my life than to provide support to this free project.

The library provides low-level means to work with the MFT, but it doesn't provide higher level concepts to deal with the file system level directly. It's up to the user to learn about the structure of the MFT to be able to use the library effectively.

When I created this library over 4 years ago, I spent weeks researching the topic, reading articles and papers, and spent a lot of time searching the internet. Resources were spare and not always very clear. Back then ChatGPT and similar tools were not available yet.

Since creating the project I haven't done much with NTFS or MFT myself, so a lot of the knowledge isn't top of mind. Any question you ask I have to look up too. If you need a quick answer, I would kindly ask you to search the web yourself, or use AI tools such as ChatGPT, Bing, Gemini, etc, to be able to quickly get the help you need without having to spend a lot of time reading all the resources yourself.

As for the filepath, do you mean the full path of the file, like C:\Windows\System32\rundll32.exe? That is not available when you have a single record. The MFT, like most filesystems, is structured like a tree. So from the root you would be able to find Windows and in its entries you would find System32 and subsequently in its entries you would find the node rundll32.exe. That node is a leaf at the bottom of the tree, and as far as I know you cannot navigate to its parent node when all you have is the leaf node. So when you're traversing the tree, you have to hold on to the visited nodes to reconstruct the full path when you get to the desired leaf node.

If this is not the information you were looking for, I would encourage you to learn more about the MFT by doing a web search or using AI tools to find your answers, before asking more questions here. As I mentioned, I also don't have all the answers and likely I would have to look things up for you anyway. Please be considerate of my time.

t9t avatar Aug 24 '24 06:08 t9t

Thank you for the answer, i understand it and sorry if i was kinda annoying, ill try research by myself and look for a solution.

Also you can bring me some contact? like email or something.

thank you

RRancio avatar Aug 24 '24 12:08 RRancio