sleuthkit-users

[sleuthkit-users] NTFS, files with no permissions

[<fu...@gm...>]

Hi

Once more, I'm looking at a NTFS-Disk. When I mount ro the disk, I can see
in a directory the File archive2005.pst with the following permission:

-r--------  1           0 2005-06-06 08:30 archive2004.pst

So file size is 0, the rest seems okay. But when I go to the directory in
Autopsy, the file does not appear. What did happen here? Any information I
can provide you? I use Autopsy 2.05 and sleuthkit 2.01 on a Debian Sarge. 

The other issue is: I have a file which looks the following when I do ls -l
in the mounted disk:

?---------  1       0 2002-04-21 11:46 54I70048.jpg

When I look into Autops, the file shows not up. If I try to copy the file
from the mounted filesystem to somewhere, cp bothers me with "argument is
illegal". So there is something wrong with this file but I'm wondering why
it's not shown in Autopsy?


Thank you for Autopsy and regards

Fuerst

-- 
Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis
++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++

Re: [sleuthkit-users] NTFS, files with no permissions

[Barry J. G. <bg...@im...>]

On Fri, 2005-06-24 at 15:12 +0200, fu...@gm... wrote:
> Once more, I'm looking at a NTFS-Disk. When I mount ro the disk, I can see
> in a directory the File archive2005.pst with the following permission:
> 
> -r--------  1           0 2005-06-06 08:30 archive2004.pst
> 
> So file size is 0, the rest seems okay. But when I go to the directory in
> Autopsy, the file does not appear. What did happen here? Any information I
> can provide you? I use Autopsy 2.05 and sleuthkit 2.01 on a Debian Sarge. 

I have not seen this sort of thing before, so maybe someone with more
experience can give you specific details, but until a better answer
comes along, I'm curious:

What does the output of "stat" give you on the mounted disk for each of
those files?  Compare that to the output of istat (maybe with -b ?).
I'm wondering if the inode returned by stat will have any info that
istat can see from the MFT.

Do the $STANDARD_INFORMATION attributes match, and do the $FILE_NAME
attributes match? Or does istat return the entry as unallocated?

It's possible that none of this will answer your question, and maybe
someone else has a direct answer, but until then...

-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

Re: [sleuthkit-users] NTFS, files with no permissions

[Brian C. <ca...@sl...>]

Can you run 'ls -i' on these files to find the "inode" number and then 
run 'istat' on them?  You can also run 'istat' by using the Metadata 
mode in Autopsy.  Is this the same file system that you previously 
noted that it had some consistency issues? Did you ever run 'fsck' or 
similar to fix the problems?

brian



On Jun 24, 2005, at 8:12 AM, fu...@gm... wrote:

> Hi
>
> Once more, I'm looking at a NTFS-Disk. When I mount ro the disk, I can 
> see
> in a directory the File archive2005.pst with the following permission:
>
> -r--------  1           0 2005-06-06 08:30 archive2004.pst
>
> So file size is 0, the rest seems okay. But when I go to the directory 
> in
> Autopsy, the file does not appear. What did happen here? Any 
> information I
> can provide you? I use Autopsy 2.05 and sleuthkit 2.01 on a Debian 
> Sarge.
>
> The other issue is: I have a file which looks the following when I do 
> ls -l
> in the mounted disk:
>
> ?---------  1       0 2002-04-21 11:46 54I70048.jpg
>
> When I look into Autops, the file shows not up. If I try to copy the 
> file
> from the mounted filesystem to somewhere, cp bothers me with "argument 
> is
> illegal". So there is something wrong with this file but I'm wondering 
> why
> it's not shown in Autopsy?

[sleuthkit-users] =?ISO-8859-1?Q?Re:_[sleuthkit-users]_NTFS,_files_with_no_permissions?=

[<fu...@gm...>]

I did istat on the inode:

MFT Entry Header Values:
Entry: 7084        Sequence: 14
$LogFile Sequence Number: 1081760676
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0     Security ID: 552
Created:        Tue May 10 19:05:09 2005
File Modified:  Mon Jun  6 08:46:06 2005
MFT Modified:   Mon Jun  6 08:46:06 2005
Accessed:       Mon Jun  6 17:59:50 2005

$FILE_NAME Attribute Values:
Flags: Archive
Name: archive2005.pst
Parent MFT Entry: 2907  Sequence: 1
Allocated Size: 0       Actual Size: 0
Created:        Tue May 10 19:05:09 2005
File Modified:  Tue May 10 19:05:12 2005
MFT Modified:   Tue May 10 19:05:12 2005
Accessed:       Tue May 10 19:05:12 2005

$ATTRIBUTE_LIST Attribute Values:
Type: 16-0      MFT Entry: 7084         VCN: 0
Type: 48-2      MFT Entry: 7084         VCN: 0
Type: 48-3      MFT Entry: 7084         VCN: 0

Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $ATTRIBUTE_LIST (32-5)   Name: N/A   Resident   size: 96
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 96

So istat sees it. Hm.

And yes it is the same file system. Runninf fsck was not possible because I
don't have a new Windows Box here and fsck for ntfs undr linux does not
exist afaik. 
Btw, the disk is know in the laboratory, the file really has size 0, so the
only issue is: why does autopsy not list the file?

To compare, here a istat-output of a file in the same directory but which is
listed in autopsy:

MFT Entry Header Values:
Entry: 2908        Sequence: 1
$LogFile Sequence Number: 1160480335
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0     Security ID: 622
Created:        Tue Oct  5 19:24:22 2004
File Modified:  Tue May 24 13:21:38 2005
MFT Modified:   Wed Jun 15 09:03:42 2005
Accessed:       Wed Jun 15 17:47:45 2005

$FILE_NAME Attribute Values:
Flags: Archive
Name: archive2002.pst
Parent MFT Entry: 2907  Sequence: 1
Allocated Size: 0       Actual Size: 0
Created:        Tue Oct  5 19:24:22 2004
File Modified:  Tue Oct  5 19:24:22 2004
MFT Modified:   Tue Oct  5 19:24:22 2004
Accessed:       Tue Oct  5 19:24:22 2004

Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 96
Type: $DATA (128-4)   Name: $Data   Non-Resident   size: 693354496

<snip>

thank you and regards

Fuerst

> --- Ursprüngliche Nachricht ---
> Von: Brian Carrier <ca...@sl...>
> An: fu...@gm...
> Kopie: sle...@li...
> Betreff: Re: [sleuthkit-users] NTFS, files with no permissions
> Datum: Sun, 26 Jun 2005 13:34:27 -0500
> 
> Can you run 'ls -i' on these files to find the "inode" number and then 
> run 'istat' on them?  You can also run 'istat' by using the Metadata 
> mode in Autopsy.  Is this the same file system that you previously 
> noted that it had some consistency issues? Did you ever run 'fsck' or 
> similar to fix the problems?
> 
> brian
> 
> 
> 
> On Jun 24, 2005, at 8:12 AM, fu...@gm... wrote:
> 
> > Hi
> >
> > Once more, I'm looking at a NTFS-Disk. When I mount ro the disk, I can 
> > see
> > in a directory the File archive2005.pst with the following permission:
> >
> > -r--------  1           0 2005-06-06 08:30 archive2004.pst
> >
> > So file size is 0, the rest seems okay. But when I go to the directory 
> > in
> > Autopsy, the file does not appear. What did happen here? Any 
> > information I
> > can provide you? I use Autopsy 2.05 and sleuthkit 2.01 on a Debian 
> > Sarge.
> >
> > The other issue is: I have a file which looks the following when I do 
> > ls -l
> > in the mounted disk:
> >
> > ?---------  1       0 2002-04-21 11:46 54I70048.jpg
> >
> > When I look into Autops, the file shows not up. If I try to copy the 
> > file
> > from the mounted filesystem to somewhere, cp bothers me with "argument 
> > is
> > illegal". So there is something wrong with this file but I'm wondering 
> > why
> > it's not shown in Autopsy?
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> >from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 

-- 
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl