NTFS-3G issues?
Brought to you by:
carrier
Menu
▾
▴
#138 NTFS-3G issues?
Posted to sleuthkit-users on 3/4/10 by Adrian Shaw
Hi
I'm using TSK 3.1.0 on OpenSuSe 10.3, installed from source.
It appears that fls isn't listing deleted files on media formatted with
the ntfs-3g package. I used a 2GB CF card, wiped it, formatted it with
linux fdisk then laid down an ntfs filesystem using the mkfs.ntfs utility
from the ntfs-3g project. I copied a load of files to the card, then
deleted about 30 of them. Then I used fls to try and view the metadata
for the deleted files:
fls -d -r -i raw -f ntfs -o 62 /dev/sdd
No results are returned from this command. So I re-ran the command but
modify it to show all files:
fls -r -i raw -f ntfs -o 62 /dev/sdd
I get the expected output - the metadata is listed for the live files.
I then use ntfsdelete to try and get information regarding the deleted
files on the card:
ntfsundelete -f /dev/sdd1
Volume is dirty.
Forced to continue.
Inode Flags %age Date Size Filename
---------------------------------------------------------------
16 F... 0% 2010-01-10 0 <none>
17 F... 0% 2010-01-10 0 <none>
18 F... 0% 2010-01-10 0 <none>
19 F... 0% 2010-01-10 0 <none>
20 F... 0% 2010-01-10 0 <none>
21 F... 0% 2010-01-10 0 <none>
22 F... 0% 2010-01-10 0 <none>
23 F... 0% 2010-01-10 0 <none>
1453 D... 0% 2010-01-16 0 <none>
1455 FN.. 100% 2006-11-16 1554574 <none>
1456 D... 0% 2010-01-16 0 <none>
1457 FN.. 100% 2006-11-16 1568011 <none>
1458 FN.. 100% 2006-11-16 1551851 <none>
1459 FN.. 100% 2006-11-16 1602861 <none>
1461 FN.. 100% 2006-11-16 1568559 <none>
1462 FN.. 100% 2006-11-16 1565797 <none>
1482 D... 0% 2010-01-16 0 <none>
2620 D... 0% 2010-01-16 0 <none>
2621 FN.. 100% 2006-11-16 2195587 <none>
2622 FN.. 100% 2006-11-16 1533953 <none>
2623 FN.. 100% 2006-11-16 1559211 <none>
2624 D... 0% 2010-01-16 0 <none>
2625 FN.. 100% 2006-11-16 1561141 <none>
2626 FN.. 100% 2006-11-16 1492597 <none>
2627 FN.. 100% 2006-11-16 1535152 <none>
2628 FN.. 100% 2006-11-16 1475406 <none>
2629 FN.. 100% 2006-11-16 1537154 <none>
2630 FN.. 100% 2006-11-16 1524184 <none>
2631 FN.. 100% 2006-11-16 1571648 <none>
2632 D... 0% 2010-01-16 0 <none>
2633 FN.. 100% 2006-11-16 1591611 <none>
2634 FN.. 100% 2006-11-16 1577103 <none>
2635 FN.. 100% 2006-11-16 1580217 <none>
2636 FN.. 100% 2006-11-16 2450007 <none>
2637 FN.. 100% 2006-11-16 1839617 <none>
2638 FN.. 100% 2006-11-16 1734110 <none>
2639 FN.. 100% 2006-11-16 1746931 <none>
2640 D... 0% 2010-01-16 0 <none>
2641 FN.. 100% 2006-11-16 2481670 <none>
2642 FN.. 100% 2006-11-16 2451247 <none>
2643 FN.. 100% 2006-11-16 1727085 <none>
2644 FN.. 100% 2006-11-16 1257376 <none>
2645 FN.. 100% 2006-11-16 1642654 <none>
2646 FN.. 100% 2006-11-16 852610 <none>
2647 FN.. 100% 2006-11-16 2441440 <none>
2648 FN.. 100% 2006-11-16 1672247 <none>
2649 FN.. 100% 2006-11-16 2173221 <none>
2650 FN.. 100% 2006-11-16 2278516 <none>
2651 D... 0% 2010-01-16 0 <none>
Files with potentially recoverable content: 33
So, there is some inconsistency with the "Date" output and no filenames
are listed, however there is apparently information regarding deleted
files.
Next I just concentrate on the first potentially recoverable file which is
listed as inode 1455.
First I use ntfsundelete to recover the file, this is successful. I then
re-run fls -r and grep the output for "1455" to see if fls has wrongly
identified the file as being an active file...no result.
Then I try istat on that inode:
istat -i raw -f ntfs -o 62 /dev/sdd 1455
MFT Entry Header Values:
Entry: 1455 Sequence: 5
$LogFile Sequence Number: 0
Not Allocated File
Links: 0
$STANDARD_INFORMATION Attribute Values:
Flags:
Owner ID: 0
Security ID: 0 ()
Created: Sat Jan 16 14:38:49 2010
File Modified: Thu Nov 16 22:47:02 2006
MFT Modified: Thu Nov 16 22:47:02 2006
Accessed: Tue Jun 23 01:00:00 2009
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48
Type: $SECURITY_DESCRIPTOR (80-1) Name: N/A Resident size: 80
Type: $DATA (128-2) Name: $Data Non-Resident size: 1554574
117046...117805 (Data runs truncated for ease of viewing)
Then I use icat to output the allocated clusters...this is successful.
I would guess that most of the inconsistencies are as a result of how the
ntfs-3g project has implemented various features of ntfs.
Regards
Adrian Shaw
