Re: [sleuthkit-users] confusing file that does not have 0 bytes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Simson,

The NTFS $Secure file is a weird one.  Its primary data is stored in the
$DATA attribute with the name $SDS, and $SDH and $SII are two $INDEX
attributes for the same file.  I think there are a couple other NTFS
special files that have multiple indices like this; there are definitely
files with non-standard indices.

Normally, the default, unnamed data attribute of a file would supply the
content that Fiwalk would hash.  In the case of $Secure, that attribute is
in fact 0-length.  (Absent, even, according to your istat.)  The real data
of $Secure is in the named data stream "$Secure:$SDS".  Fiwalk and DFXML
don't presently have a way to express that aside from making a whole
different fileobject; so, $Secure would be a 0-length file, $Secure:$SDS
would be a 1.9MB (for you) file.  Right now, Fiwalk is just quietly hashing
the content of $Secure:$SDS; I forget if there's an explicit check for that
or it's a side-effect of something.

There is further expression weirdness if you want to express $Secure:$SDH
or $Secure:$SII, since those aren't technically content, they're indices.

I've been thinking about how to express those in DFXML for a while, because
the problem also arises for named data streams in general.  What's the hash
of a file with multiple data streams?  I hope you'll agree that there
should be one hash per stream, instead of one hash per file.

I think the best way to approach this problem is to define a new child
element of a <fileobject>, a named data stream (I think it's abbreviated
NDS in the Carrier book; it's "Alternate" data stream elsewhere).  So, in
$Secure's case:

<fileobject>
  <filename>$Secure</filename>
  <ntfs:nds>
    <tsk:icat_id>9-128-11</tsk:icat_id>
    <parent_object>
      <inode>9</inode>
    </parent_object>
    <filename>$SDS</filename>
    <byte_runs><!--As expected...--></byte_runs>
    <hashdigest type="sha1">1234abcd...</hashdigest>
  </ntfs:nds>
</fileobject>

The name data stream elements would be a subset of the <fileobject>
elements.

Similarly, there can be elements for the NTFS index root and index
allocation attributes, which would also be children of a fileobject.

<ntfs:index_root>
  <tsk:icat_id>9-144-12</tsk:icat_id>
  <parent_object>
    <inode>9</inode>
  </parent_object>
  <filename>$SII</filename>
  <byte_runs><!--The resident data in the MFT entry's attribute; will take
some engineering to get this right, I think--></byte_runs>
  <hashdigest type="sha1">5678...</hashdigest>
</ntfs:index_root>

<ntfs:index_allocation>
  <tsk:icat_id>9-160-13</tsk:icat_id>
  <parent_object>
    <inode>9</inode>
  </parent_object>
  <filename>$SII</filename>
  <byte_runs><!--Of the index clusters--></byte_runs>
  <hashdigest type="sha1">9abc...</hashdigest>
</ntfs:index_allocation>

This approach wouldn't require changes to the DFXML schema.

Do you think this solves the problem of extra indices and data streams for
NTFS?

--Alex

On Fri, Jan 31, 2014 at 9:38 PM, Simson Garfinkel <si...@ac...> wrote:

>
> I have an NTFS disk image. There is a file on it that the SleuthKit
> reports has 0 length. But fiwalk reports that it has several byte runs.
> Currently fiwalk is computing the hash of those byte runs and reporting it
> as the file hash, which is the wrong behavior.
>
>  Below is the istat, followed by the XML dump and also the fls output. It
> looks to me that there are several attributes; one of them, the $SDS
> attribute, is 1.9MB in length.
>
>  Clearly the attributes should not be hashed to determine the file's
> hash, so there is a bug in fiwalk that I need to fix. From the API, how do
> I determine that the data callback is being given an attribute that
> shouldn't be hashed?
>
>  Here is the relevant part of the directory list with fls:
>
> r/r * 9-144-16(realloc): title_ctr[1].gif:$SDH
> r/r * 9-144-18(realloc): title_ctr[1].gif:$SII
> r/r * 9-128-19(realloc): title_ctr[1].gif:$SDS
>
>
>
>  Here is the istat:
>
> $ istat -o 63 SG1-1064.E01 9-144-16
> MFT Entry Header Values:
> Entry: 9        Sequence: 9
> $LogFile Sequence Number: 586416701932
> Allocated File
> Links: 1
>
> $STANDARD_INFORMATION Attribute Values:
> Flags: Hidden, System
> Owner ID: 0
> Security ID: 257  (S-1-5-32-544)
> Created: 2004-07-12 16:58:51 (EDT)
> File Modified: 2004-07-12 16:58:51 (EDT)
> MFT Modified: 2004-07-12 16:58:51 (EDT)
> Accessed: 2004-07-12 16:58:51 (EDT)
>
> $FILE_NAME Attribute Values:
> Flags:
> Name: $Secure
> Parent MFT Entry: 5  Sequence: 5
> Allocated Size: 0    Actual Size: 0
> Created: 2076-11-29 03:54:34 (EST)
> File Modified: 2076-11-29 03:54:34 (EST)
> MFT Modified: 2076-11-29 03:54:34 (EST)
> Accessed: 2076-11-29 03:54:34 (EST)
>
> $ATTRIBUTE_LIST Attribute Values:
> Type: 16-0  MFT Entry: 9  VCN: 0
> Type: 48-7  MFT Entry: 9  VCN: 0
> Type: 128-0  MFT Entry: 178770  VCN: 0
> Type: 144-16  MFT Entry: 9  VCN: 0
> Type: 144-18  MFT Entry: 9  VCN: 0
> Type: 160-2  MFT Entry: 6781  VCN: 0
> Type: 160-3  MFT Entry: 6781  VCN: 0
> Type: 176-4  MFT Entry: 6781  VCN: 0
> Type: 176-5  MFT Entry: 6781  VCN: 0
>
> Attributes:
> Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
> Type: $ATTRIBUTE_LIST (32-17)   Name: N/A   Non-Resident   size: 344
>  init_size: 344
> 549297
> Type: $FILE_NAME (48-7)   Name: N/A   Resident   size: 80
> Type: $INDEX_ROOT (144-16)   Name: $SDH   Resident   size: 56
> Type: $INDEX_ROOT (144-18)   Name: $SII   Resident   size: 56
> Type: $DATA (128-19)   Name: $SDS   Non-Resident   size: 1960040
>  init_size: 1960040
> 390176 390177 390178 390179 390180 390181 390182 390183
> 390184 390185 390186 390187 390188 390189 390190 390191
> 390192 390193 390194 390195 390196 390197 390198 390199
> 390200 390201 390202 390203 390204 390205 390206 390207
> 390208 390209 390210 390211 390212 390213 390214 390215
> 390216 390217 390218 390219 390220 390221 390222 390223
> 390224 390225 390226 390227 390228 390229 390230 390231
> 390232 390233 390234 390235 390236 390237 390238 390239
> 390240 487278 487279 663659 638527 481604 79306 706903
> 785371 9883 610353 610355 610371 610270 600412 619380
> 596219 569580 699395 717528 368206 370944 482186 489621
> 531746 532353 6076591 6060120 7432272 7403576 7402093 7400205
> 6386639 6424782 6425853 6308043 6542545 6496155 6556126 6624373
> 6899574 6900049 7130039 7125434 7125816 7142050 7140859 7137126
> 7133695 7133209 7132301 7131597 7131365 7131351 7126255 7125530
> 7124837 7124653 7123341 7132208 8324618 8611460 9711057 3778491
> 7299721 7299722 7299723 7299724 7299725 7299726 7299727 7299728
> 7299729 7299730 7299731 7299732 7299733 7299734 7299735 7299736
> 7299737 7299738 7299739 7299740 7299741 7299742 7299743 7299744
> 7299745 7299746 7299747 7299748 7299749 7299750 7299751 7299752
> 7299753 7299754 7299755 7299756 7299757 7299758 7299759 7299760
> 7299761 7299762 7299763 7299764 7299765 7299766 7299767 7299768
> 7299769 7299770 7299771 7299772 7299773 7299774 7299775 7299776
> 7299777 7299778 7299779 7299780 7299781 7299782 7299783 7299784
> 7299785 6678550 4855356 3758831 3758828 3758502 3758435 3757936
> 3757899 3757896 3758437 3764874 3764875 3772231 3381010 3373829
> 3354308 3373799 3066264 3050316 3050323 3639068 3579136 5890982
> 5005380 5391161 744788 744567 742412 2521794 2544838 2544980
> 2545877 2547574 2547572 5537845 5427693 5390572 5281512 5274421
> 5274391 5005604 5005540 4996110 4996004 4919745 4810409 4810410
> 4810411 4806319 4818401 4835951 7299630 7410654 7380435 6777589
> 7518578 3611101 3765721 3765626 3765627 3768851 3744748 3732304
> 3465268 3465269 3465270 3465271 3465272 3465273 3465274 3465275
> 3465276 3465277 3465278 3465279 3465280 3465281 3465282 3465283
> 3465284 3465285 3465286 3465287 3465288 3465289 3465290 3465291
> 3465292 3465293 3465294 3465295 3465296 3465297 3465298 3465299
> 3465300 3465301 3465302 3465303 3465304 3465305 3465306 3465307
> 3465308 3465309 3465310 3465311 3465312 3465313 3465314 3465315
> 3465316 3465317 3465318 3465319 3465320 3465321 3465322 3465323
> 3465324 3465325 3465326 3465327 3465328 3465329 3465330 3465331
> 3465332 3466493 4851942 296156 3420790 3421259 3421441 3421592
> 3421723 3400696 3400697 3400698 3400699 3400700 3400701 3400702
> 3400703 3400704 3400705 3400665 3403006 3403025 3403181 3404423
> 3406406 3406408 3393559 3385169 3379651 3370783 3368782 3368665
> 3366669 3350989 3350453 3350833 3353678 3342048 3341341 3333236
> 3333234 3333000 3331552 3331254 3331241 3330349 3328982 3328912
> 3328910 3328053 3327416 3327413 3327387 3322469 3321112 3311241
> 3304448 3302498 3300538 3300466 3294442 3294089 3291273 3286158
> 3734663 3734664 3734665 3734666 3734667 3734668 3734669 3734670
> 3734671 3734672 3734673 3734674 3734675 3734676 3734677 3734678
> 3734679 3734680 3734681 3734682 3734683 3734684 3734685 3734686
> 3734687 3734688 3734689 3734690 3734691 3734692 3734693 3734694
> 3734695 3734696 3734697 3734698 3734699 3734700 3734701 3734702
> 3734703 3734704 3734705 3734706 3734707 3734708 3734709 3734710
> 3734711 3734712 3734713 3734714 3734715 3734716 3734717 3734718
> 3734719 3734720 3734721 3734722 3734723 3734724 3734725 3734726
> 3734727 3732144 3730026 3730023 3729973 3727747 3727641 3727639
> 3727631 3727124 3727103 3726877 3726430 3726011 3720147 3720217
> 3720248 3722010 3722064 3722169 3725802 3748438 3756656 798823
> 780465 520279 148378 378527 355345 346371 346370
> Type: $INDEX_ALLOCATION (160-20)   Name: $SDH   Non-Resident   size:
> 262144  init_size: 262144
> 78369 610316 610317 610318 610319 700617 700640 695953
> 690523 692402 1262355 1262344 4855163 4855576 4855596 4853877
> 4858975 3784815 3762045 3764806 3757945 3757507 366474 7299002
> 7299012 7298974 3293690 5912759 5915587 5916360 5917039 3758551
> 3778787 3778785 4850977 4851160 4850782 4851841 4852120 4849070
> 4847515 4845527 4845314 4844785 4844745 4842047 4841786 4841724
> 4837114 4837045 3772243 3761602 378528 616442 618862 756370
> 756371 756372 756373 756374 756375 756376 756377 756378
> Type: $INDEX_ALLOCATION (160-21)   Name: $SII   Non-Resident   size:
> 249856  init_size: 249856
> 511627 478499 1175609 610352 663398 570363 164501 312115
> 6076594 616643 752222 306845 548567 549279 549339 687886
> 797375 798538 798352 799153 799352 799355 799361 787025
> 755996 1589868 1589999 792974 8310299 8306866 8306894 8305736
> 1583227 1592148 1592149 3532863 3532864 3533327 4017458 4017459
> 4017460 4017461 4017462 4017437 4017505 4017509 4017511 4017272
> 4017261 4017457 4016963 4016617 4016615 4016372 4016962 4017433
> 4017435 4015948 3772658 1245269 1010788
> Type: $BITMAP (176-22)   Name: $SDH   Resident   size: 16
> Type: $BITMAP (176-23)   Name: $SII   Resident   size: 8
>
>
>
>  Here is the XML that fiwalk dumps:
>
>     <fileobject>
>       <filename>Documents and Settings/*******/Local Settings/Temporary
> Internet Files/Content.IE5/89MRS52V/title_ctr[1].gif</filename>
>       <partition>1</partition>
>       <id>162982</id>
>       <name_type>r</name_type>
>       <filesize>0</filesize>
>       <alloc>1</alloc>
>       <used>1</used>
>       <inode>9</inode>
>       <meta_type>1</meta_type>
>       <mode>365</mode>
>       <nlink>1</nlink>
>       <uid>0</uid>
>       <gid>0</gid>
>       <mtime>2004-07-12T20:58:51Z</mtime>
>       <ctime>2004-07-12T20:58:51Z</ctime>
>       <atime>2004-07-12T20:58:51Z</atime>
>       <crtime>2004-07-12T20:58:51Z</crtime>
>       <seq>9</seq>
>       <byte_runs>
>        <byte_run file_offset='0' fs_offset='1598160896'
> img_offset='1598193152' len='266240'/>
>        <byte_run file_offset='266240' fs_offset='1995890688'
> img_offset='1995922944' len='8192'/>
>        <byte_run file_offset='274432' fs_offset='2718347264'
> img_offset='2718379520' len='4096'/>
>        <byte_run file_offset='278528' fs_offset='2615406592'
> img_offset='2615438848' len='4096'/>
>        <byte_run file_offset='282624' fs_offset='1972649984'
> img_offset='1972682240' len='4096'/>
>        <byte_run file_offset='286720' fs_offset='324837376'
> img_offset='324869632' len='4096'/>
>        ...
>        <byte_run file_offset='1953792' fs_offset='1418735616'
> img_offset='1418767872' len='4096'/>
>        <byte_run file_offset='1957888' fs_offset='1418731520'
> img_offset='1418763776' len='2152'/>
>       </byte_runs>
>       <hashdigest type='md5'>14e29e689be66747926c29e7b6d8da1c</hashdigest>
>       <hashdigest
> type='sha1'>4755f96f4cc83ab7bf8827d361e2d66d1086f0cf</hashdigest>
>     </fileobject>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends.  Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>