Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate update sequence numbers #9

Closed
dkovar opened this issue Jul 10, 2013 · 1 comment
Closed

Investigate update sequence numbers #9

dkovar opened this issue Jul 10, 2013 · 1 comment
Assignees
@dkovar @rowingdude
Labels
enhancement question Standard_Addition

Comments

@dkovar
Copy link
Contributor

dkovar commented Jul 10, 2013

http://msdn.microsoft.com/en-us/library/bb470124(v=vs.85).aspx

Google MFT update sequence number
@ghost ghost assigned dkovar Jul 10, 2013
@ghost
Copy link

ghost commented Jul 22, 2013

Hope this helps:

Quick MFT Entry Structure from http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html.
entry_struct

The 'Offset to the update sequence' points to the array. The 'Number of entries in fixup array' tells you how many update values are replaced. The update sequence array (or fixup values) contains the replacement bytes for every 511th and 512th byte of the entry. The first two bytes of the array are the value of every 511th and 512th byte, every two bytes after that are the replacement values. This is used by Microsoft for error checking.

The following is an example where the entry (36 [offset 0x9000]) has a very long file name and where the second filename attribute exceeds the first 511 and 512th byte of the entry. Note that the name of the file is testfile_with_long_name_to_get_name_along_the_512th_byte_of_the_mft_entry_to_test_the_uptdate_sequence_array_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test.txt and that the update value replaces the 't' in to of the ‘…mft_entry_to_test_...’ part of the name.

entry_example

The following is how AnalyseMFT outputs the name:
testfile_with_long_name_to_get_name_along_the_512th_byte_of_the_mft_entry_0x02o_test_the_uptdate_sequence_array_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test.txt

Where the 0x02 is used to represent the unprintable update sequence value. This should be an easy fix. While I'm not to great at Python. It looks like you can update this at the following location in your code where you parse the mft record in mft.py:

def parse_record(raw_record, options):

    record = {}
    record['filename'] = ''
    record['notes'] = ''

    decodeMFTHeader(record, raw_record);

    record_number = record['recordnum']

    if options.debug:
        print '-->Record number: %d\n\tMagic: %s Attribute offset: %d Flags: %s Size:%d' % (record_number, record['magic'],
            record['attr_off'], hex(int(record['flags'])), record['size'])

You could create another function here that would replace every 511th and 512th byte of the raw_record with the update sequence replacement values.

@rowingdude rowingdude self-assigned this Aug 1, 2024
rowingdude added a commit that referenced this issue Sep 4, 2024
@rowingdude
Adds body file, timeline, l2t back. Closes Files not marked as delete…
cef6594 
…d in bodyfile output #33 Data run calculations are wrong? #21 Investigate update sequence numbers #9 Datarun oddity #16 Additional rules #46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dkovar dkovar

@rowingdude rowingdude

Labels
enhancement question Standard_Addition
Projects
AnalyzeMFT
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dkovar @rowingdude