1 /*
2
3 File: file_mft.c
4
5 Copyright (C) 2012 Christophe GRENIER <grenier@cgsecurity.org>
6
7 This software is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License along
18 with this program; if not, write the Free Software Foundation, Inc., 51
19 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26 #ifdef HAVE_STRING_H
27 #include <string.h>
28 #endif
29 #include <stdio.h>
30 #include "types.h"
31 #include "filegen.h"
32 #include "common.h"
33 #include "ntfs.h"
34
35 static void register_header_check_mft(file_stat_t *file_stat);
36 static int header_check_mft(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
37
38 const file_hint_t file_hint_mft= {
39 .extension="mft",
40 .description="NTFS MFT record",
41 .max_filesize=PHOTOREC_MAX_FILE_SIZE,
42 .recover=0,
43 .enable_by_default=1,
44 .register_header_check=®ister_header_check_mft
45 };
46
file_rename_mft(file_recovery_t * file_recovery)47 static void file_rename_mft(file_recovery_t *file_recovery)
48 {
49 unsigned char buffer[512];
50 char buffer_cluster[32];
51 FILE *file;
52 int buffer_size;
53 const struct ntfs_mft_record *record=(const struct ntfs_mft_record *)&buffer;
54 if((file=fopen(file_recovery->filename, "rb"))==NULL)
55 return;
56 buffer_size=fread(buffer, 1, sizeof(buffer), file);
57 fclose(file);
58 if(buffer_size<54)
59 return;
60 sprintf(buffer_cluster, "record_%u", (unsigned int)le32(record->mft_record_number));
61 file_rename(file_recovery, buffer_cluster, strlen(buffer_cluster), 0, NULL, 1);
62 }
63
header_check_mft(const unsigned char * buffer,const unsigned int buffer_size,const unsigned int safe_header_only,const file_recovery_t * file_recovery,file_recovery_t * file_recovery_new)64 static int header_check_mft(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
65 {
66 const struct ntfs_mft_record *mft_rec=(const struct ntfs_mft_record *)buffer;
67 const unsigned int usa_ofs = le16(mft_rec->usa_ofs);
68 const unsigned int usa_count = le16(mft_rec->usa_count);
69 const unsigned int attrs_offset = le16(mft_rec->attrs_offset);
70 const unsigned int bytes_in_use = le32(mft_rec->bytes_in_use);
71 const unsigned int bytes_allocated = le32(mft_rec->bytes_allocated);
72 if(!(memcmp(buffer,"FILE",4)==0 &&
73 usa_ofs+usa_count <= attrs_offset &&
74 42 <= attrs_offset &&
75 attrs_offset%8==0 &&
76 attrs_offset < bytes_in_use &&
77 bytes_in_use <= bytes_allocated))
78 return 0;
79 reset_file_recovery(file_recovery_new);
80 file_recovery_new->extension=file_hint_mft.extension;
81 file_recovery_new->calculated_file_size=bytes_allocated;
82 file_recovery_new->data_check=&data_check_size;
83 file_recovery_new->file_check=&file_check_size;
84 file_recovery_new->file_rename=&file_rename_mft;
85 return 1;
86 }
87
register_header_check_mft(file_stat_t * file_stat)88 static void register_header_check_mft(file_stat_t *file_stat)
89 {
90 register_header_check(0, "FILE", 4, &header_check_mft, file_stat);
91 }
92