@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

NTFS $REPARSE_POINT and Symbolic link

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Today, I would like to confirm the NTFS symbolic link.
Copy the JPEG file to the sample VHD Disk.

f:id:hideakii:20180716073732p:plain

Use the mklink command for this JPEG file to create a symbolic link.
The link name is exempl.jpg.

f:id:hideakii:20180716073949p:plain

When browsed from the explorer, it can be identified by the icon image.

f:id:hideakii:20180716074218p:plain

Use Autopsy to browse this volume. It seems difficult to identify a symbolic link from the file list.

f:id:hideakii:20180716074639p:plain

You can find $REPARSE_POINT in the Attributes field.

f:id:hideakii:20180716075054p:plain

Let's look at $REPARSE_POINT (0xC0) in the FILE record.
Display offset 44032 in $ MFT. The range enclosed in red color starting from 0xC0 is $REPARSE_POINT.

f:id:hideakii:20180716075936p:plain

The range of 0C0000A0 enclosed in light blue is Reparse point tag. 0xa000000c means Symbolic link.

0C 00 00 A0 Reparse point tag ⇒ Symbolic link
34 00 Reparse data size ⇒ 52
00 00 Reserved
14 00 Substitute name offset ⇒ 20
14 00 Substitute name size ⇒ 20
00 00 Print name offset
14 00 Print name size ⇒ 20
01 00 00 00 Symbolic link flags
730061006D0070006C0065002E006A0070006700 sample.jpg
730061006D0070006C0065002E006A0070006700 sample.jpg
00000000

 Using MFTECmd is simpler than visual inspection. 

f:id:hideakii:20180716083133p:plain

 I do not know what "g" means....Interesting....The character at the end of the file is at the beginning.

<2018/07/17 add >

 </add>

 

Delete sample.jpg and overwrite the FILE record.

f:id:hideakii:20180716084734p:plain 

f:id:hideakii:20180716084937p:plain

By creating sample.txt, sample.jpg can not be confirmed.
If you use MFTECmd, you can find example.jpg with the value of ReparseTarget.

f:id:hideakii:20180716090052p:plain

When you find a symbolic link, let's check the reference.

 

Sample VHD Disk.

 

Reference URL:

github.com

Local Privilege Escalation in Emsisoft Anti-Malware by abusing NTFS Directory Junctions #AVGater » #bogner.sh

 

f:id:hideakii:20180716072237j:plain