@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

$ATTRIBUTE_LIST and deleted record

Note:I translated Japanese into English using Google Translate.

Thank you, Google.

I will use the sample VHD Disk created last week.

$ATTRIBUTE_LIST of FILE record 39 is as follows. Several $FILE_NAME saved in FILE record number 40.

f:id:hideakii:20180706073154p:plain

Filename00000001.txt is saved in FILE record number 40. At the end of this FILE record, the $DATA attribute is stored.

f:id:hideakii:20180706073811p:plain

 Delete filename00000001.txt and confirm the FILE record 40.

f:id:hideakii:20180706074121p:plain

f:id:hideakii:20180706074327p:plain

You can check the character string of filename00000001.txt with Slack of FILE record number 40.
However, since only one $FILE_NAME attribute has been deleted, we can not find filename00000001.txt as a deleted file.

f:id:hideakii:20180706074744p:plain

Is it possible to delete two FILE records referenced by $ATTRIBUTE_LIST at the same time? I'd like to verify whether an inconsistency occurs due to deleting and overwriting the FILE record referenced by $ATTRIBUTE_LIST.

To test another scenario, return the VHD disk to its original state.
Delete all files.

f:id:hideakii:20180706152006p:plain

 Let's check the state after deletion....Unfortunately, it was different from what I expected.

f:id:hideakii:20180706162326p:plain

Is it the result of the Del command sequentially deleting files? , Only filename 00000007.txt file will be displayed.

I will try another method.

f:id:hideakii:20180706170328p:plain

Check the status of $ATTRIBUTE_LIST.
FILE records 40 and 41 are used.

f:id:hideakii:20180706170615p:plain

Delete folder1.

f:id:hideakii:20180706164259p:plain

The following figure is the result I was expecting.....Aaaa, I misunderstood the result.

f:id:hideakii:20180706165550p:plain

The above figure contained $I30 parsing result. When referenced by other tools, only filename0000007.txt is displayed in the deleted file.

f:id:hideakii:20180707070929p:plain

I have created another VHD disk.
$SIA of filename00000006.txt is stored in FILE record 39, and $FILE_NAME is stored in FILE record 40.

f:id:hideakii:20180707073345p:plain

Create a new file and overwrite the FILE record 39.

f:id:hideakii:20180707073533p:plain

FILE record 40 remains, but Autopsy can not refer to filename00000006.txt.

f:id:hideakii:20180707073925p:plain

Export $MFT and parse it with fte tool. I can find filename00000006.txt. Thank you fte, I wanted to confirm this result.

f:id:hideakii:20180707074236p:plain

Sample VHD disk(Atrribute8).

 

Overwrite the FILE record with another pattern.

f:id:hideakii:20180707075225p:plain

$SIA is stored in FILE record 40, $FILE_NAME is stored in FILE record 39.

f:id:hideakii:20180707075524p:plain

Delete files other than filename00000001.txt.

f:id:hideakii:20180707075643p:plain

f:id:hideakii:20180707075747p:plain

Create a file and overwrite the FILE record 39. $SIA is in FILE record 40, but $FILE_NAME does not exist. Some tools do not display $SIA in FILE record 40.

Does your favorite tool display $SIA of FILE record 40?

f:id:hideakii:20180707080151p:plain

 Sample VHD disk(Atrribute9).

 

Well, how do I visualize the FILE record 40?
For example, there is a way to use Plas MFT parser.

>log2timeline.exe --parsers mft --artifact_filters NTFSMFTFiles c:\case\mft.plaso c:\case\Atrribute9.vhd

>psort -o l2tcsv -w c:\case\mft_timeline.csv c:\case\mft.plaso

FILE Record 40 $SIA was confirmed.

f:id:hideakii:20180707112309p:plain

 

by the way,
 Google Translate shows multiple candidates for a single word, but suffers from choosing which one is right. For example, check and confirm.

 

Reference URL:

http://www.kazamiya.net/en/fte

 

f:id:hideakii:20180707085502j:plain