[sleuthkit-users] confusing file that does not have 0 bytes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I have an NTFS disk image. There is a file on it that the SleuthKit reports has 0 length. But fiwalk reports that it has several byte runs. Currently fiwalk is computing the hash of those byte runs and reporting it as the file hash, which is the wrong behavior.

Below is the istat, followed by the XML dump and also the fls output. It looks to me that there are several attributes; one of them, the $SDS attribute, is 1.9MB in length.

Clearly the attributes should not be hashed to determine the file's hash, so there is a bug in fiwalk that I need to fix. From the API, how do I determine that the data callback is being given an attribute that shouldn't be hashed?

Here is the relevant part of the directory list with fls:

r/r * 9-144-16(realloc):
title_ctr[1].gif:$SDH
r/r * 9-144-18(realloc):  title_ctr[1].gif:$SII
r/r * 9-128-19(realloc):  title_ctr[1].gif:$SDS

Here is the istat:

$ istat -o 63 SG1-1064.E01 9-144-16
MFT Entry Header Values:
Entry: 9        Sequence: 9
$LogFile Sequence Number: 586416701932
Allocated File
Links: 1

$STANDARD_INFORMATION Attribute Values:
Flags: Hidden, System
Owner ID: 0
Security ID: 257  (S-1-5-32-544)
Created: 2004-07-12 16:58:51 (EDT)
File Modified: 2004-07-12 16:58:51 (EDT)
MFT Modified: 2004-07-12 16:58:51 (EDT)
Accessed: 2004-07-12 16:58:51 (EDT)

$FILE_NAME Attribute Values:
Flags: 
Name: $Secure
Parent MFT Entry: 5   Sequence: 5
Allocated Size: 0     Actual Size: 0
Created: 2076-11-29 03:54:34 (EST)
File Modified: 2076-11-29 03:54:34 (EST)
MFT Modified: 2076-11-29 03:54:34 (EST)
Accessed: 2076-11-29 03:54:34 (EST)

$ATTRIBUTE_LIST Attribute Values:
Type: 16-0  MFT Entry: 9 
VCN: 0
Type: 48-7  MFT Entry: 9 
VCN: 0
Type: 128-0  MFT Entry: 178770 
VCN: 0
Type: 144-16  MFT Entry: 9 
VCN: 0
Type: 144-18  MFT Entry: 9 
VCN: 0
Type: 160-2  MFT Entry: 6781 
VCN: 0
Type: 160-3  MFT Entry: 6781 
VCN: 0
Type: 176-4  MFT Entry: 6781 
VCN: 0
Type: 176-5  MFT Entry: 6781 
VCN: 0

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $ATTRIBUTE_LIST (32-17)   Name: N/A   Non-Resident   size: 344  init_size: 344
549297 
Type: $FILE_NAME (48-7)   Name: N/A   Resident   size: 80
Type: $INDEX_ROOT (144-16)   Name: $SDH   Resident   size: 56
Type: $INDEX_ROOT (144-18)   Name: $SII   Resident   size: 56
Type: $DATA (128-19)   Name: $SDS   Non-Resident   size: 1960040  init_size: 1960040
390176 390177 390178 390179 390180 390181 390182 390183 
390184 390185 390186 390187 390188 390189 390190 390191 
390192 390193 390194 390195 390196 390197 390198 390199 
390200 390201 390202 390203 390204 390205 390206 390207 
390208 390209 390210 390211 390212 390213 390214 390215 
390216 390217 390218 390219 390220 390221 390222 390223 
390224 390225 390226 390227 390228 390229 390230 390231 
390232 390233 390234 390235 390236 390237 390238 390239 
390240 487278 487279 663659 638527 481604 79306 706903 
785371 9883 610353 610355 610371 610270 600412 619380 
596219 569580 699395 717528 368206 370944 482186 489621 
531746 532353 6076591 6060120 7432272 7403576 7402093 7400205 
6386639 6424782 6425853 6308043 6542545 6496155 6556126 6624373 
6899574 6900049 7130039 7125434 7125816 7142050 7140859 7137126 
7133695 7133209 7132301 7131597 7131365 7131351 7126255 7125530 
7124837 7124653 7123341 7132208 8324618 8611460 9711057 3778491 
7299721 7299722 7299723 7299724 7299725 7299726 7299727 7299728 
7299729 7299730 7299731 7299732 7299733 7299734 7299735 7299736 
7299737 7299738 7299739 7299740 7299741 7299742 7299743 7299744 
7299745 7299746 7299747 7299748 7299749 7299750 7299751 7299752 
7299753 7299754 7299755 7299756 7299757 7299758 7299759 7299760 
7299761 7299762 7299763 7299764 7299765 7299766 7299767 7299768 
7299769 7299770 7299771 7299772 7299773 7299774 7299775 7299776 
7299777 7299778 7299779 7299780 7299781 7299782 7299783 7299784 
7299785 6678550 4855356 3758831 3758828 3758502 3758435 3757936 
3757899 3757896 3758437 3764874 3764875 3772231 3381010 3373829 
3354308 3373799 3066264 3050316 3050323 3639068 3579136 5890982 
5005380 5391161 744788 744567 742412 2521794 2544838 2544980 
2545877 2547574 2547572 5537845 5427693 5390572 5281512 5274421 
5274391 5005604 5005540 4996110 4996004 4919745 4810409 4810410 
4810411 4806319 4818401 4835951 7299630 7410654 7380435 6777589 
7518578 3611101 3765721 3765626 3765627 3768851 3744748 3732304 
3465268 3465269 3465270 3465271 3465272 3465273 3465274 3465275 
3465276 3465277 3465278 3465279 3465280 3465281 3465282 3465283 
3465284 3465285 3465286 3465287 3465288 3465289 3465290 3465291 
3465292 3465293 3465294 3465295 3465296 3465297 3465298 3465299 
3465300 3465301 3465302 3465303 3465304 3465305 3465306 3465307 
3465308 3465309 3465310 3465311 3465312 3465313 3465314 3465315 
3465316 3465317 3465318 3465319 3465320 3465321 3465322 3465323 
3465324 3465325 3465326 3465327 3465328 3465329 3465330 3465331 
3465332 3466493 4851942 296156 3420790 3421259 3421441 3421592 
3421723 3400696 3400697 3400698 3400699 3400700 3400701 3400702 
3400703 3400704 3400705 3400665 3403006 3403025 3403181 3404423 
3406406 3406408 3393559 3385169 3379651 3370783 3368782 3368665 
3366669 3350989 3350453 3350833 3353678 3342048 3341341 3333236 
3333234 3333000 3331552 3331254 3331241 3330349 3328982 3328912 
3328910 3328053 3327416 3327413 3327387 3322469 3321112 3311241 
3304448 3302498 3300538 3300466 3294442 3294089 3291273 3286158 
3734663 3734664 3734665 3734666 3734667 3734668 3734669 3734670 
3734671 3734672 3734673 3734674 3734675 3734676 3734677 3734678 
3734679 3734680 3734681 3734682 3734683 3734684 3734685 3734686 
3734687 3734688 3734689 3734690 3734691 3734692 3734693 3734694 
3734695 3734696 3734697 3734698 3734699 3734700 3734701 3734702 
3734703 3734704 3734705 3734706 3734707 3734708 3734709 3734710 
3734711 3734712 3734713 3734714 3734715 3734716 3734717 3734718 
3734719 3734720 3734721 3734722 3734723 3734724 3734725 3734726 
3734727 3732144 3730026 3730023 3729973 3727747 3727641 3727639 
3727631 3727124 3727103 3726877 3726430 3726011 3720147 3720217 
3720248 3722010 3722064 3722169 3725802 3748438 3756656 798823 
780465 520279 148378 378527 355345 346371 346370 
Type: $INDEX_ALLOCATION (160-20)   Name: $SDH   Non-Resident   size: 262144  init_size: 262144
78369 610316 610317 610318 610319 700617 700640 695953 
690523 692402 1262355 1262344 4855163 4855576 4855596 4853877 
4858975 3784815 3762045 3764806 3757945 3757507 366474 7299002 
7299012 7298974 3293690 5912759 5915587 5916360 5917039 3758551 
3778787 3778785 4850977 4851160 4850782 4851841 4852120 4849070 
4847515 4845527 4845314 4844785 4844745 4842047 4841786 4841724 
4837114 4837045 3772243 3761602 378528 616442 618862 756370 
756371 756372 756373 756374 756375 756376 756377 756378 
Type: $INDEX_ALLOCATION (160-21)   Name: $SII   Non-Resident   size: 249856  init_size: 249856
511627 478499 1175609 610352 663398 570363 164501 312115 
6076594 616643 752222 306845 548567 549279 549339 687886 
797375 798538 798352 799153 799352 799355 799361 787025 
755996 1589868 1589999 792974 8310299 8306866 8306894 8305736 
1583227 1592148 1592149 3532863 3532864 3533327 4017458 4017459 
4017460 4017461 4017462 4017437 4017505 4017509 4017511 4017272 
4017261 4017457 4016963 4016617 4016615 4016372 4016962 4017433 
4017435 4015948 3772658 1245269 1010788 
Type: $BITMAP (176-22)   Name: $SDH   Resident   size: 16
Type: $BITMAP (176-23)   Name: $SII   Resident   size: 8

Here is the XML that fiwalk dumps:

    <fileobject>
      <filename>Documents and Settings/*******/Local Settings/Temporary Internet Files/Content.IE5/89MRS52V/title_ctr[1].gif</filename>
      <partition>1</partition>
      <id>162982</id>
      <name_type>r</name_type>
      <filesize>0</filesize>
      <alloc>1</alloc>
      <used>1</used>
      <inode>9</inode>
      <meta_type>1</meta_type>
      <mode>365</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>2004-07-12T20:58:51Z</mtime>
      <ctime>2004-07-12T20:58:51Z</ctime>
      <atime>2004-07-12T20:58:51Z</atime>
      <crtime>2004-07-12T20:58:51Z</crtime>
      <seq>9</seq>
      <byte_runs>
       <byte_run file_offset='0' fs_offset='1598160896' img_offset='1598193152' len='266240'/>
       <byte_run file_offset='266240' fs_offset='1995890688' img_offset='1995922944' len='8192'/>
       <byte_run file_offset='274432' fs_offset='2718347264' img_offset='2718379520' len='4096'/>
       <byte_run file_offset='278528' fs_offset='2615406592' img_offset='2615438848' len='4096'/>
       <byte_run file_offset='282624' fs_offset='1972649984' img_offset='1972682240' len='4096'/>
       <byte_run file_offset='286720' fs_offset='324837376' img_offset='324869632' len='4096'/>
       ...
       <byte_run file_offset='1953792' fs_offset='1418735616' img_offset='1418767872' len='4096'/>
       <byte_run file_offset='1957888' fs_offset='1418731520' img_offset='1418763776' len='2152'/>
      </byte_runs>
      <hashdigest type='md5'>14e29e689be66747926c29e7b6d8da1c</hashdigest>
      <hashdigest type='sha1'>4755f96f4cc83ab7bf8827d361e2d66d1086f0cf</hashdigest>
    </fileobject>