Menu

#172 NTFS incorrect enforcement of fs_attr->nrd.initsize

open
nobody
5
2011-03-06
2011-03-06
No

TSK 3.2.1 on Linux (Fedora Core)

When running icat on an unmounted Windows 7 NTFS volume (using a Linux device handle) several files in the "System Volume Information" return 0-byte (or invalid) content. The information istat returns about the corresponding MFT entry is correct; also the data run information.

data run:
00000000: 43 2c c9 00 a0 3b 60 01 C,...;`.

verbose output of icat:
ntfs_make_data_run: Len idx: 0 cur: 44 (2c) tot: 44 (2c)
ntfs_make_data_run: Len idx: 1 cur: 201 (c9) tot: 51500 (c92c)
ntfs_make_data_run: Len idx: 2 cur: 0 (0) tot: 51500 (c92c)
ntfs_make_data_run: Off idx: 0 cur: 160 (a0) tot: 160 (a0)
ntfs_make_data_run: Off idx: 1 cur: 59 (3b) tot: 15264 (3ba0)
ntfs_make_data_run: Off idx: 2 cur: 96 (60) tot: 6306720 (603ba0)
ntfs_make_data_run: Off idx: 3 cur: 1 (1) tot: 23083936 (1603ba0)
ntfs_make_data_run: Signed addr_offset: 23083936 Previous address: 0

in tsk_fs_file_walk_nonres() it hits:
else if ((off >= fs_attr->nrd.initsize) where initsize = 0;

non-resident data:
00000000: 00 00 00 00 00 00 00 00 2b c9 00 00 00 00 00 00 ........ +.......
00000010: 40 00 00 00 00 00 00 00 00 c0 92 0c 00 00 00 00 @....... ........
00000020: 00 c0 92 0c 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........

data first VCN : 0
data last VCN : 51499
data runs offset : 64
compression unit size : 0
padding : 0x00000000
allocated data size : 210944000
data size : 210944000
initialized data size : 0 (0x00000000)

The code is acting as designed but the limitation of fs_attr->nrd.initsize does not seem to be a correct one because the file does contain data of size 210944000 at the offset the data run is referring to.

Discussion


Log in to post a comment.