[sleuthkit-developers] [ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner of a file
|
From: SourceForge.net <no...@so...> - 2009-11-25 22:12:20
|
Feature Requests item #2895607, was opened at 2009-11-10 19:25 Message generated for change (Comment added) made by jamiebutler You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Group: None Status: Open Priority: 5 Private: No Submitted By: James Butler (jamiebutler) Assigned to: Nobody/Anonymous (nobody) Summary: Identify in NTFS the SID of the owner of a file Initial Comment: The owner SID of files needs to be identified per file. Every file has an associated security identifier which identifies the owner, groups, etc. of the file. More than one file may have the same security identifier if the files share the exact same security descriptor. Using the security identifier of the file (secid), we can lookup its security descriptor within $Secure. Security descriptors are variable length and contained in the $SDS stream within $Secure. The $SII stream of $Secure is an index into the $SDS stream. $SII entries are stored incrementally by the secid. Once we find the secid of the file inside the $SII stream, the $SII entry will tell the offset within the $SDS stream to read the security descriptor. Use the tsk_fs_file_read_owner_sid function within fs_file.c to get the string representation of the owner SID of a file on NTFS. When an NTFS filesystem is opened ntfs_open is called. ntfs_open initializes a pointer to ntfs_lookup_security_id and then calls ntfs_load_secure. ntfs_load_secure opens MFT entry 9, $Secure, and reads in the $SDS and $SII streams. When tsk_fs_file_read_owner_sid is called on a TSK_FS_FILE, the owner SID is returned in its string form. ---------------------------------------------------------------------- >Comment By: James Butler (jamiebutler) Date: 2009-11-25 17:12 Message: Sorry, here is that function. #define MIN(a, b) ((a) < (b) ? (a) : (b)) /** * \internal * Search the attribute list of TSK_FS_ATTR structures for an entry with a given * type (no ID) and a given name. If more than one entry with the same type exists, * the one with the lowest ID will be returned. * * @param a_fs_attrlist Data list structure to search in * @param a_type Type of attribute to find * @param name Name of the attribute to find * * @return NULL is returned on error and if an entry could not be found. * tsk_errno will be set to TSK_ERR_FS_ATTR_NOTFOUND if entry could not be found. */ const TSK_FS_ATTR * tsk_fs_attrlist_get_name_type(const TSK_FS_ATTRLIST * a_fs_attrlist, TSK_FS_ATTR_TYPE_ENUM a_type, char *name) { TSK_FS_ATTR *fs_attr_cur; TSK_FS_ATTR *fs_attr_ok = NULL; if ((!a_fs_attrlist) || (name == NULL)) { tsk_error_reset(); tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_attrlist_get: Null list pointer"); tsk_errstr2[0] = '\0'; return NULL; } for (fs_attr_cur = a_fs_attrlist->head; fs_attr_cur; fs_attr_cur = fs_attr_cur->next) { if ((fs_attr_cur->flags & TSK_FS_ATTR_INUSE) && (fs_attr_cur->type == a_type) && (!strncmp(fs_attr_cur->name, name, MIN(fs_attr_cur->name_size, strlen(name)))) ) { /* If we are looking for NTFS $Data, * then return default when we see it */ if ((fs_attr_cur->type == TSK_FS_ATTR_TYPE_NTFS_DATA) && (fs_attr_cur->name_size > 5) && (strncmp(fs_attr_cur->name, "$Data", 5) == 0)) { return fs_attr_cur; } // make sure we return the lowest if multiple exist if ((fs_attr_ok == NULL) || (fs_attr_ok->id > fs_attr_cur->id)) fs_attr_ok = fs_attr_cur; } } if (!fs_attr_ok) { tsk_errno = TSK_ERR_FS_ATTR_NOTFOUND; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_attrlist_get: Attribute %d not found", a_type); return NULL; } else { return fs_attr_ok; } } ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2009-11-25 11:01 Message: Jamie, did you create a tsk_fs_attrlist_get_name_type() function as well? It is being called from the new NTFS code, but it is not defined in TSK and I didn't see it in the patch. thanks. ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2009-11-25 10:30 Message: Applied memory leak patches into fs_file.c: Sending fs/fs_file.c Transmitting file data . Committed revision 131. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685 |
