ntfs-forensic 0.2.0

Forensic-grade, from-scratch NTFS filesystem reader — MFT, attributes, indexes, data runs, and deleted/slack/anti-forensic recovery over any Read + Seek source
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

//! `$ATTRIBUTE_LIST` (type `0x20`) — present when a file's attributes don't fit
//! in one MFT record. Each entry points at the extension record (a file
//! reference) holding one of the file's attributes, with its type, starting
//! VCN, id, and name. Following these references is how a heavily-fragmented
//! file's attributes are gathered.

use forensicnomicon::ntfs::attribute_type_name;

use crate::error::{NtfsError, Result};
use crate::file_name::FileReference;

/// Fixed size of an entry header (through the attribute id; name follows).
const ENTRY_MIN: usize = 0x1A;
/// Loop cap on entries.
const MAX_ENTRIES: usize = 1 << 20;

/// One `$ATTRIBUTE_LIST` entry.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct AttributeListEntry {
    /// Attribute type code.
    pub type_code: u32,
    /// Starting VCN of this attribute's portion.
    pub start_vcn: u64,
    /// Reference to the MFT record that holds the attribute.
    pub base_reference: FileReference,
    /// Attribute id.
    pub attribute_id: u16,
    /// Attribute name, or `None` if unnamed.
    pub name: Option<String>,
}

impl AttributeListEntry {
    /// Canonical `$NAME` of this entry's attribute type, if known.
    #[must_use]
    pub fn type_name(&self) -> Option<&'static str> {
        attribute_type_name(self.type_code)
    }
}

/// Parse an `$ATTRIBUTE_LIST` value into its entries.
///
/// # Errors
///
/// [`NtfsError::BadAttributeList`] for an undersized entry, an entry past the
/// content, or a name out of bounds.
pub fn parse(content: &[u8]) -> Result<Vec<AttributeListEntry>> {
    let mut entries = Vec::new();
    let mut pos = 0;

    for _ in 0..MAX_ENTRIES {
        if pos + ENTRY_MIN > content.len() {
            break;
        }
        let entry_length =
            u16::from_le_bytes(content[pos + 0x04..pos + 0x06].try_into().unwrap()) as usize;
        if entry_length < ENTRY_MIN {
            return Err(NtfsError::BadAttributeList("entry length below minimum"));
        }
        let entry_end = pos
            .checked_add(entry_length)
            .ok_or(NtfsError::BadAttributeList("entry length overflow"))?;
        if entry_end > content.len() {
            return Err(NtfsError::BadAttributeList("entry extends past content"));
        }

        let type_code = u32::from_le_bytes(content[pos..pos + 4].try_into().unwrap());
        let name_length = content[pos + 0x06] as usize;
        let name_offset = content[pos + 0x07] as usize;
        let start_vcn = u64::from_le_bytes(content[pos + 0x08..pos + 0x10].try_into().unwrap());
        let base_reference = FileReference::from_u64(u64::from_le_bytes(
            content[pos + 0x10..pos + 0x18].try_into().unwrap(),
        ));
        let attribute_id = u16::from_le_bytes(content[pos + 0x18..pos + 0x1A].try_into().unwrap());

        let name = if name_length == 0 {
            None
        } else {
            let n_start = pos
                .checked_add(name_offset)
                .ok_or(NtfsError::BadAttributeList("name offset overflow"))?;
            let n_end = n_start
                .checked_add(name_length * 2)
                .ok_or(NtfsError::BadAttributeList("name length overflow"))?;
            if n_end > entry_end {
                return Err(NtfsError::BadAttributeList("name extends past entry"));
            }
            let units: Vec<u16> = content[n_start..n_end]
                .chunks_exact(2)
                .map(|c| u16::from_le_bytes([c[0], c[1]]))
                .collect();
            Some(
                char::decode_utf16(units)
                    .map(|r| r.unwrap_or('\u{FFFD}'))
                    .collect(),
            )
        };

        entries.push(AttributeListEntry {
            type_code,
            start_vcn,
            base_reference,
            attribute_id,
            name,
        });
        pos = entry_end;
    }

    Ok(entries)
}

#[cfg(test)]
mod tests {
    use super::*;
    use forensicnomicon::ntfs::attr_types;

    fn entry(type_code: u32, start_vcn: u64, base_record: u64, name: Option<&str>) -> Vec<u8> {
        let name_u: Vec<u16> = name.map(|n| n.encode_utf16().collect()).unwrap_or_default();
        let name_off = ENTRY_MIN;
        let len = (name_off + name_u.len() * 2 + 7) & !7;
        let mut e = vec![0u8; len];
        e[0x00..0x04].copy_from_slice(&type_code.to_le_bytes());
        e[0x04..0x06].copy_from_slice(&(len as u16).to_le_bytes());
        e[0x06] = name_u.len() as u8;
        e[0x07] = name_off as u8;
        e[0x08..0x10].copy_from_slice(&start_vcn.to_le_bytes());
        let base_ref = (1u64 << 48) | base_record;
        e[0x10..0x18].copy_from_slice(&base_ref.to_le_bytes());
        e[0x18..0x1A].copy_from_slice(&3u16.to_le_bytes());
        for (i, u) in name_u.iter().enumerate() {
            e[name_off + i * 2..name_off + i * 2 + 2].copy_from_slice(&u.to_le_bytes());
        }
        e
    }

    #[test]
    fn parses_entries_pointing_to_extension_records() {
        let content = [
            entry(attr_types::STANDARD_INFORMATION, 0, 5, None),
            entry(attr_types::DATA, 0, 9, None),
        ]
        .concat();
        let es = parse(&content).unwrap();
        assert_eq!(es.len(), 2);
        assert_eq!(es[0].type_code, attr_types::STANDARD_INFORMATION);
        assert_eq!(es[0].base_reference.record_number, 5);
        assert_eq!(es[1].type_code, attr_types::DATA);
        assert_eq!(es[1].base_reference.record_number, 9);
        assert_eq!(es[1].type_name(), Some("$DATA"));
    }

    #[test]
    fn decodes_named_entry() {
        let content = entry(attr_types::DATA, 7, 12, Some("stream"));
        let es = parse(&content).unwrap();
        assert_eq!(es[0].name.as_deref(), Some("stream"));
        assert_eq!(es[0].start_vcn, 7);
    }

    #[test]
    fn rejects_undersized_entry() {
        let mut content = vec![0u8; 0x20];
        content[0x04..0x06].copy_from_slice(&4u16.to_le_bytes()); // < ENTRY_MIN
        assert!(matches!(
            parse(&content),
            Err(NtfsError::BadAttributeList(_))
        ));
    }

    #[test]
    fn rejects_name_extending_past_entry() {
        // entry_length leaves no room for the declared name.
        let mut content = vec![0u8; ENTRY_MIN];
        content[0x04..0x06].copy_from_slice(&(ENTRY_MIN as u16).to_le_bytes());
        content[0x06] = 4; // name_length = 4 chars (8 bytes)
        content[0x07] = ENTRY_MIN as u8; // name_offset at the very end
        assert!(matches!(
            parse(&content),
            Err(NtfsError::BadAttributeList(d)) if d == "name extends past entry"
        ));
    }

    #[test]
    fn rejects_entry_past_content() {
        let mut content = vec![0u8; 0x20];
        content[0x04..0x06].copy_from_slice(&0x100u16.to_le_bytes());
        assert!(matches!(
            parse(&content),
            Err(NtfsError::BadAttributeList(_))
        ));
    }
}