[sleuthkit-developers] [ sleuthkit-Bugs-2975624 ] NTFS-3G issues?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Bugs item #2975624, was opened at 2010-03-23 20:46
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2975624&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: NTFS-3G issues?

Initial Comment:
Posted to sleuthkit-users on 3/4/10 by Adrian Shaw

Hi

I'm using TSK 3.1.0 on OpenSuSe 10.3, installed from source.

It appears that fls isn't listing deleted files on media formatted with  
the ntfs-3g package.   I used a 2GB CF card, wiped it, formatted it with  
linux fdisk then laid down an ntfs filesystem using the mkfs.ntfs utility  
from the ntfs-3g project.   I copied a load of files to the card, then  
deleted about 30 of them.   Then I used fls to try and view the metadata  
for the deleted files:
fls -d -r -i raw -f ntfs -o 62 /dev/sdd

No results are returned from this command.  So I re-ran the command but  
modify it to show all files:
fls -r -i raw -f ntfs -o 62 /dev/sdd

I get the expected output - the metadata is listed for the live files.

I then use ntfsdelete to try and get information regarding the deleted  
files on the card:

ntfsundelete -f /dev/sdd1

Volume is dirty.
Forced to continue.
Inode    Flags  %age  Date           Size  Filename
---------------------------------------------------------------
16       F...     0%  2010-01-10         0  <none>
17       F...     0%  2010-01-10         0  <none>
18       F...     0%  2010-01-10         0  <none>
19       F...     0%  2010-01-10         0  <none>
20       F...     0%  2010-01-10         0  <none>
21       F...     0%  2010-01-10         0  <none>
22       F...     0%  2010-01-10         0  <none>
23       F...     0%  2010-01-10         0  <none>
1453     D...     0%  2010-01-16         0  <none>
1455     FN..   100%  2006-11-16   1554574  <none>
1456     D...     0%  2010-01-16         0  <none>
1457     FN..   100%  2006-11-16   1568011  <none>
1458     FN..   100%  2006-11-16   1551851  <none>
1459     FN..   100%  2006-11-16   1602861  <none>
1461     FN..   100%  2006-11-16   1568559  <none>
1462     FN..   100%  2006-11-16   1565797  <none>
1482     D...     0%  2010-01-16         0  <none>
2620     D...     0%  2010-01-16         0  <none>
2621     FN..   100%  2006-11-16   2195587  <none>
2622     FN..   100%  2006-11-16   1533953  <none>
2623     FN..   100%  2006-11-16   1559211  <none>
2624     D...     0%  2010-01-16         0  <none>
2625     FN..   100%  2006-11-16   1561141  <none>
2626     FN..   100%  2006-11-16   1492597  <none>
2627     FN..   100%  2006-11-16   1535152  <none>
2628     FN..   100%  2006-11-16   1475406  <none>
2629     FN..   100%  2006-11-16   1537154  <none>
2630     FN..   100%  2006-11-16   1524184  <none>
2631     FN..   100%  2006-11-16   1571648  <none>
2632     D...     0%  2010-01-16         0  <none>
2633     FN..   100%  2006-11-16   1591611  <none>
2634     FN..   100%  2006-11-16   1577103  <none>
2635     FN..   100%  2006-11-16   1580217  <none>
2636     FN..   100%  2006-11-16   2450007  <none>
2637     FN..   100%  2006-11-16   1839617  <none>
2638     FN..   100%  2006-11-16   1734110  <none>
2639     FN..   100%  2006-11-16   1746931  <none>
2640     D...     0%  2010-01-16         0  <none>
2641     FN..   100%  2006-11-16   2481670  <none>
2642     FN..   100%  2006-11-16   2451247  <none>
2643     FN..   100%  2006-11-16   1727085  <none>
2644     FN..   100%  2006-11-16   1257376  <none>
2645     FN..   100%  2006-11-16   1642654  <none>
2646     FN..   100%  2006-11-16    852610  <none>
2647     FN..   100%  2006-11-16   2441440  <none>
2648     FN..   100%  2006-11-16   1672247  <none>
2649     FN..   100%  2006-11-16   2173221  <none>
2650     FN..   100%  2006-11-16   2278516  <none>
2651     D...     0%  2010-01-16         0  <none>

Files with potentially recoverable content: 33

So, there is some inconsistency with the "Date" output and no filenames  
are listed, however there is apparently information regarding deleted  
files.

Next I just concentrate on the first potentially recoverable file which is  
listed as inode 1455.
First I use ntfsundelete to recover the file, this is successful.   I then  
re-run fls -r and grep the output for "1455" to see if fls has wrongly  
identified the file as being an active file...no result.

Then I try istat on that inode:

istat -i raw -f ntfs -o 62 /dev/sdd 1455

MFT Entry Header Values:
Entry: 1455        Sequence: 5
$LogFile Sequence Number: 0
Not Allocated File
Links: 0

$STANDARD_INFORMATION Attribute Values:
Flags:
Owner ID: 0
Security ID: 0  ()
Created:  Sat Jan 16 14:38:49 2010
File Modified:  Thu Nov 16 22:47:02 2006
MFT Modified:   Thu Nov 16 22:47:02 2006
Accessed: Tue Jun 23 01:00:00 2009

Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 48
Type: $SECURITY_DESCRIPTOR (80-1)   Name: N/A   Resident   size: 80
Type: $DATA (128-2)   Name: $Data   Non-Resident   size: 1554574
117046...117805 (Data runs truncated for ease of viewing)

Then I use icat to output the allocated clusters...this is successful.

I would guess that most of the inconsistencies are as a result of how the  
ntfs-3g project has implemented various features of ntfs.

Regards

Adrian Shaw

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2975624&group_id=55685