[sleuthkit-developers] [ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner of a file
|
From: SourceForge.net <no...@so...> - 2009-12-08 02:12:51
|
Feature Requests item #2895607, was opened at 2009-11-10 19:25 Message generated for change (Settings changed) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Group: None >Status: Closed Priority: 5 Private: No Submitted By: James Butler (jamiebutler) Assigned to: Nobody/Anonymous (nobody) Summary: Identify in NTFS the SID of the owner of a file Initial Comment: The owner SID of files needs to be identified per file. Every file has an associated security identifier which identifies the owner, groups, etc. of the file. More than one file may have the same security identifier if the files share the exact same security descriptor. Using the security identifier of the file (secid), we can lookup its security descriptor within $Secure. Security descriptors are variable length and contained in the $SDS stream within $Secure. The $SII stream of $Secure is an index into the $SDS stream. $SII entries are stored incrementally by the secid. Once we find the secid of the file inside the $SII stream, the $SII entry will tell the offset within the $SDS stream to read the security descriptor. Use the tsk_fs_file_read_owner_sid function within fs_file.c to get the string representation of the owner SID of a file on NTFS. When an NTFS filesystem is opened ntfs_open is called. ntfs_open initializes a pointer to ntfs_lookup_security_id and then calls ntfs_load_secure. ntfs_load_secure opens MFT entry 9, $Secure, and reads in the $SDS and $SII streams. When tsk_fs_file_read_owner_sid is called on a TSK_FS_FILE, the owner SID is returned in its string form. ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2009-12-07 21:12 Message: Fixed the missing error messages and changed the error handing of load_secure so that it could load FS w/no security info. Sending trunk/tsk3/fs/ntfs.c Transmitting file data . Committed revision 142. ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2009-12-01 17:49 Message: Thanks. This has been added to the trunk. I changed it up a bit and moved some code around. For example, I moved the NTFS code from fs_file into ntfs.c and changed some of the NTFS functions, but most of it is the same. I'm keeping this open as a reminder to go in an add some more error statements into ntfs.c Sending trunk/tsk3/fs/fs_attrlist.c Sending trunk/tsk3/fs/fs_file.c Sending trunk/tsk3/fs/ntfs.c Sending trunk/tsk3/fs/tsk_fs.h Sending trunk/tsk3/fs/tsk_fs_i.h Sending trunk/tsk3/fs/tsk_ntfs.h Transmitting file data ...... Committed revision 135. ---------------------------------------------------------------------- Comment By: James Butler (jamiebutler) Date: 2009-11-25 17:12 Message: Sorry, here is that function. #define MIN(a, b) ((a) < (b) ? (a) : (b)) /** * \internal * Search the attribute list of TSK_FS_ATTR structures for an entry with a given * type (no ID) and a given name. If more than one entry with the same type exists, * the one with the lowest ID will be returned. * * @param a_fs_attrlist Data list structure to search in * @param a_type Type of attribute to find * @param name Name of the attribute to find * * @return NULL is returned on error and if an entry could not be found. * tsk_errno will be set to TSK_ERR_FS_ATTR_NOTFOUND if entry could not be found. */ const TSK_FS_ATTR * tsk_fs_attrlist_get_name_type(const TSK_FS_ATTRLIST * a_fs_attrlist, TSK_FS_ATTR_TYPE_ENUM a_type, char *name) { TSK_FS_ATTR *fs_attr_cur; TSK_FS_ATTR *fs_attr_ok = NULL; if ((!a_fs_attrlist) || (name == NULL)) { tsk_error_reset(); tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_attrlist_get: Null list pointer"); tsk_errstr2[0] = '\0'; return NULL; } for (fs_attr_cur = a_fs_attrlist->head; fs_attr_cur; fs_attr_cur = fs_attr_cur->next) { if ((fs_attr_cur->flags & TSK_FS_ATTR_INUSE) && (fs_attr_cur->type == a_type) && (!strncmp(fs_attr_cur->name, name, MIN(fs_attr_cur->name_size, strlen(name)))) ) { /* If we are looking for NTFS $Data, * then return default when we see it */ if ((fs_attr_cur->type == TSK_FS_ATTR_TYPE_NTFS_DATA) && (fs_attr_cur->name_size > 5) && (strncmp(fs_attr_cur->name, "$Data", 5) == 0)) { return fs_attr_cur; } // make sure we return the lowest if multiple exist if ((fs_attr_ok == NULL) || (fs_attr_ok->id > fs_attr_cur->id)) fs_attr_ok = fs_attr_cur; } } if (!fs_attr_ok) { tsk_errno = TSK_ERR_FS_ATTR_NOTFOUND; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_attrlist_get: Attribute %d not found", a_type); return NULL; } else { return fs_attr_ok; } } ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2009-11-25 11:01 Message: Jamie, did you create a tsk_fs_attrlist_get_name_type() function as well? It is being called from the new NTFS code, but it is not defined in TSK and I didn't see it in the patch. thanks. ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2009-11-25 10:30 Message: Applied memory leak patches into fs_file.c: Sending fs/fs_file.c Transmitting file data . Committed revision 131. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685 |
