[sleuthkit-developers] [ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner of a file
|
From: SourceForge.net <no...@so...> - 2009-11-25 16:01:36
|
Feature Requests item #2895607, was opened at 2009-11-10 19:25 Message generated for change (Comment added) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Group: None Status: Open Priority: 5 Private: No Submitted By: James Butler (jamiebutler) Assigned to: Nobody/Anonymous (nobody) Summary: Identify in NTFS the SID of the owner of a file Initial Comment: The owner SID of files needs to be identified per file. Every file has an associated security identifier which identifies the owner, groups, etc. of the file. More than one file may have the same security identifier if the files share the exact same security descriptor. Using the security identifier of the file (secid), we can lookup its security descriptor within $Secure. Security descriptors are variable length and contained in the $SDS stream within $Secure. The $SII stream of $Secure is an index into the $SDS stream. $SII entries are stored incrementally by the secid. Once we find the secid of the file inside the $SII stream, the $SII entry will tell the offset within the $SDS stream to read the security descriptor. Use the tsk_fs_file_read_owner_sid function within fs_file.c to get the string representation of the owner SID of a file on NTFS. When an NTFS filesystem is opened ntfs_open is called. ntfs_open initializes a pointer to ntfs_lookup_security_id and then calls ntfs_load_secure. ntfs_load_secure opens MFT entry 9, $Secure, and reads in the $SDS and $SII streams. When tsk_fs_file_read_owner_sid is called on a TSK_FS_FILE, the owner SID is returned in its string form. ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2009-11-25 11:01 Message: Jamie, did you create a tsk_fs_attrlist_get_name_type() function as well? It is being called from the new NTFS code, but it is not defined in TSK and I didn't see it in the patch. thanks. ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2009-11-25 10:30 Message: Applied memory leak patches into fs_file.c: Sending fs/fs_file.c Transmitting file data . Committed revision 131. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685 |
