Loading ...
Sorry, an error occurred while loading the content.

Re: [win4n6] Re: $I30 files

Expand Messages
  • Sérgio
    This links may be useful: http://blogs.msdn.com/b/ntdebugging/archive/2008/10/31/ntfs-misreporting-free-space-part-2.aspx
    Message 1 of 18 , Jun 19, 2010
    View Source
    • 0 Attachment
      This links may be useful:
       
       
      Sergio
       

      From: keydet89
      Sent: Friday, June 11, 2010 7:15 PM
      Subject: [win4n6] Re: $I30 files

       


      > If I recall correctly, the bytes of the fixup array need to be
      applied at
      > each 512 bytes boundery. NTFS replace the last byte of each
      512 bytes block
      > with a "magik" byte and store the replaced byte in the
      fixup array. You need
      > to do the reverse operation when loading/reading
      the $I30 file.

      I'll have to noodle this through and add it as a check to the script.

      As of now, I'm able to parse through the file, find each record and parse out the $FILENAME attribute, including the file name and time stamps. I'm not yet doing a check for the last record...but I do have things working.

      I have had a couple of cases where something like this would have been very useful.

      Thanks.

    • keydet89
      Thanks for all the responses I got in this thread. Using Brian s book, I wrote a parser for the $I30 files...mostly by starting on pg 371, and jumping back to
      Message 2 of 18 , Jun 23, 2010
      View Source
      • 0 Attachment
        Thanks for all the responses I got in this thread. Using Brian's book, I wrote a parser for the $I30 files...mostly by starting on pg 371, and jumping back to pg 362 for specifics on the $FILE_NAME attr structure.

        As a side note, I was asked to assist in parsing an $I30 file for which the index record header indicated that there were no records in the file, but we could see filenames, etc. I modified the parser to address the issue and pulled out filenames, sizes, and MACB times...which were very valuable to the analyst.

        Thanks!
      • Jean-Francois Gingras
        Nice to hear you work it out. Unallocated entries in the $I30 are quite usefull. I use thé following technic to retreive those entires: 1- look for what could
        Message 3 of 18 , Jun 23, 2010
        View Source
        • 0 Attachment
          Nice to hear you work it out.
          Unallocated entries in the $I30 are quite usefull. I use thé following technic to retreive those entires:

          1- look for what could be filename in unallocated space of the idx record
          2- work backward to rebuild :
               a- the $FILE_NAME (whats left of it)
               b- the idx entry (not that usefull in general, for me anyway)

          Envoyé de mon iPhone

          Le 2010-06-23 à 11:05, keydet89 <keydet89@...> a écrit :

           

          Thanks for all the responses I got in this thread. Using Brian's book, I wrote a parser for the $I30 files...mostly by starting on pg 371, and jumping back to pg 362 for specifics on the $FILE_NAME attr structure.

          As a side note, I was asked to assist in parsing an $I30 file for which the index record header indicated that there were no records in the file, but we could see filenames, etc. I modified the parser to address the issue and pulled out filenames, sizes, and MACB times...which were very valuable to the analyst.

          Thanks!

        Your message has been successfully submitted and would be delivered to recipients shortly.