@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

$MFT と $ATTRIBUTE_LIST

Note:
For experimental purposes, I use Google Translate to convert Blog to English.Unfortunately, I do not know whether it was translated into an appropriate English expression.

Please let me know if there is a more appropriate expression.

 There are many tools to parse $MFT, but the processing result of $ATTRIBUTE_LIST varies depending on the tool.
I would like to confirm about $ATTRIBUTE_LIST.

Create a test file in the sample VHD disk.

f:id:hideakii:20180701125141p:plain

Use the fsutil command to create several hard links.By executing the following command, the attribute will not fit all in one FILE record.

f:id:hideakii:20180701125757p:plain

In the $MFT file, reference the FILE record of Filename 00000001.txt.
You can see that there is a $ ATTRIBUTE_LIST (0x20) attribute in the FILE record.
In the example below, this attribute is Resident.

f:id:hideakii:20180701130345p:plain

When you refer to the same file with Autopsy, it becomes as follows.
The MFT record number of Filename 00000001.txt is 39. In addition, you can check that this file is using record number 40 as well.
(Type 48 (0x30) is the $FILE_NAME attribute.)

f:id:hideakii:20180701130724p:plain

Reference record number 40 in the $ MFT file.
"File reference to the base FILE record" indicates 39 (0x27).

f:id:hideakii:20180701133104p:plain

When parsing this $MFT file with fte tool, it becomes as follows.
The $FILE_NAME attribute stored in record number 40 is also displayed.

f:id:hideakii:20180701131418p:plain

The result of parsing the same $MFT file with MFTECmd is as follows.

f:id:hideakii:20180701133943p:plain

Both tools display seven sample files. 

However, when parsing the $MFT file, depending on the tool, all file names are not displayed due to $ATTRIBUTE_LIST.

 

<Added 2018/7/3>

There are several tools affected by $ATTRIBUTE_LIST. One example is Plaso MFT parser.

I will try parsing $MFT using the MFT parser of plaso-20180630.

Artifacts filter is available in Plaso-20180630. I'm not familiar with it yet, but it's a very interesting feature.

c:\case\plaso-20180630-amd64>log2timeline.exe --parsers mft --artifact_filters NTFSMFTFiles c:\case\mft.plaso c:\case\Atrribute1.vhd

f:id:hideakii:20180703182738p:plain

Use the psort command to output the timeline in l2tcsv format.

f:id:hideakii:20180703183456p:plain

You can find file names 2 and 7, but you can not find file names 1, 3, 4, 5, and 6.

f:id:hideakii:20180703183555p:plain

</Added>

 

Sample VHD file.

 

By the way, I did not know that the fsutil command has a layout option.

The Layout option seems to be available from Win 10 ver 1803.

f:id:hideakii:20180701160459p:plain

参考URL:

flatcap.org

github.com

binaryforay.blogspot.com

f:id:hideakii:20180701124616j:plain