$ATTRIBUTE_LIST and deleted record
Note:I translated Japanese into English using Google Translate.
Thank you, Google.
I will use the sample VHD Disk created last week.
$ATTRIBUTE_LIST of FILE record 39 is as follows. Several $FILE_NAME saved in FILE record number 40.
Filename00000001.txt is saved in FILE record number 40. At the end of this FILE record, the $DATA attribute is stored.
Delete filename00000001.txt and confirm the FILE record 40.
You can check the character string of filename00000001.txt with Slack of FILE record number 40.
However, since only one $FILE_NAME attribute has been deleted, we can not find filename00000001.txt as a deleted file.
Is it possible to delete two FILE records referenced by $ATTRIBUTE_LIST at the same time? I'd like to verify whether an inconsistency occurs due to deleting and overwriting the FILE record referenced by $ATTRIBUTE_LIST.
To test another scenario, return the VHD disk to its original state.
Delete all files.
Let's check the state after deletion....Unfortunately, it was different from what I expected.
Is it the result of the Del command sequentially deleting files? , Only filename 00000007.txt file will be displayed.
I will try another method.
Check the status of $ATTRIBUTE_LIST.
FILE records 40 and 41 are used.
Delete folder1.
The following figure is the result I was expecting.....Aaaa, I misunderstood the result.
The above figure contained $I30 parsing result. When referenced by other tools, only filename0000007.txt is displayed in the deleted file.
I have created another VHD disk.
$SIA of filename00000006.txt is stored in FILE record 39, and $FILE_NAME is stored in FILE record 40.
Create a new file and overwrite the FILE record 39.
FILE record 40 remains, but Autopsy can not refer to filename00000006.txt.
Export $MFT and parse it with fte tool. I can find filename00000006.txt. Thank you fte, I wanted to confirm this result.
Overwrite the FILE record with another pattern.
$SIA is stored in FILE record 40, $FILE_NAME is stored in FILE record 39.
Delete files other than filename00000001.txt.
Create a file and overwrite the FILE record 39. $SIA is in FILE record 40, but $FILE_NAME does not exist. Some tools do not display $SIA in FILE record 40.
Does your favorite tool display $SIA of FILE record 40?
Well, how do I visualize the FILE record 40?
For example, there is a way to use Plas MFT parser.
>log2timeline.exe --parsers mft --artifact_filters NTFSMFTFiles c:\case\mft.plaso c:\case\Atrribute9.vhd
>psort -o l2tcsv -w c:\case\mft_timeline.csv c:\case\mft.plaso
FILE Record 40 $SIA was confirmed.
by the way,
Google Translate shows multiple candidates for a single word, but suffers from choosing which one is right. For example, check and confirm.
Reference URL:
http://www.kazamiya.net/en/fte
it appears MFTECmd behaves appropriately in this case. Tools that to not follow attribute lists to other MFT entries or manually track extension records miss data. many tools do not do this correctly pic.twitter.com/b702mh2khT
— Eric Zimmerman (@EricRZimmerman) July 7, 2018