1 /* 2 ** The Sleuth Kit 3 ** 4 ** Brian Carrier [carrier <at> sleuthkit [dot] org] 5 ** Copyright (c) 2003-2011 Brian Carrier. All rights reserved 6 ** 7 ** TASK 8 ** Copyright (c) 2002 @stake Inc. All rights reserved 9 ** 10 ** This software is distributed under the Common Public License 1.0 11 */ 12 13 /* 14 * Contains the structures and function APIs for NTFS file system support. 15 */ 16 17 18 #ifndef _TSK_NTFS_H 19 #define _TSK_NTFS_H 20 21 #ifdef __cplusplus 22 extern "C" { 23 #endif 24 25 26 // the SID code has been buggy on some systems and byitself it does 27 // not provide much security info. It is being disabled until fixed. 28 #define TSK_USE_SID 1 29 30 //#define NTFS_FS_MAGIC 0x5346544E /* "NTFS" in little endian */ 31 #define NTFS_FS_MAGIC 0xAA55 32 33 #define NTFS_MAXNAMLEN 256 34 #define NTFS_MAXNAMLEN_UTF8 4 * NTFS_MAXNAMLEN 35 36 /* location of the Root Directory inode */ 37 #define NTFS_ROOTINO NTFS_MFT_ROOT 38 #define NTFS_FIRSTINO 0 /* location of the $Mft Record */ 39 #define NTFS_LAST_DEFAULT_INO 16 /* A guess for right now */ 40 41 #define NTFS_FILE_CONTENT_LEN 0 42 43 /* uncompression values */ 44 #define NTFS_TOKEN_MASK 1 45 #define NTFS_SYMBOL_TOKEN 0 46 #define NTFS_TOKEN_LENGTH 8 47 /* (64 * 1024) = 65536 */ 48 #define NTFS_MAX_UNCOMPRESSION_BUFFER_SIZE 65536 49 50 #define NTFS_UPDATE_SEQ_STRIDE 512 51 52 53 54 /************************************************************************ 55 * Update sequence structure. This is located at upd_off from the 56 * beginning of the original structure 57 */ 58 typedef struct { 59 uint8_t upd_val[2]; // what they should be 60 uint8_t upd_seq; // array of size 2*(upd_cnt-1) w/orig vals 61 } ntfs_upd; 62 63 64 /************************************************************************ 65 * bootsector 66 * 67 * located in sector 0 in $Boot 68 */ 69 typedef struct { 70 uint8_t f1[3]; // 0 71 char oemname[8]; // 3 72 uint8_t ssize[2]; // 11 /* sector size in bytes */ 73 uint8_t csize; // 13 /* sectors per cluster */ 74 uint8_t f2[26]; // 14 75 uint8_t vol_size_s[8]; // 40 /*size of volume in sectors */ 76 uint8_t mft_clust[8]; // 48 /* location of MFT */ 77 uint8_t mftm_clust[8]; // 56 /* location of MFT mirror */ 78 int8_t mft_rsize_c; // 64 /* number of clusters per mft record */ 79 uint8_t f3[3]; 80 int8_t idx_rsize_c; // 68 /* number of clus per idx rec */ 81 uint8_t f4[3]; 82 uint8_t serial[8]; // 72 /* serial number */ 83 uint8_t f5[430]; //80 84 uint8_t magic[2]; 85 } ntfs_sb; 86 87 88 89 /************************************************************************ 90 * MFT Entry 91 * 92 * One entry in the MFT - there exists one for each file 93 */ 94 typedef struct { 95 uint8_t magic[4]; 96 uint8_t upd_off[2]; // 4 97 uint8_t upd_cnt[2]; // 6 size+1 98 uint8_t lsn[8]; // 8 $LogFile Sequence Number 99 uint8_t seq[2]; // 16 100 uint8_t link[2]; // 18 101 uint8_t attr_off[2]; // 20 102 uint8_t flags[2]; // 22 103 uint8_t size[4]; // 24 104 uint8_t alloc_size[4]; //28 105 uint8_t base_ref[6]; // 32 106 uint8_t base_seq[2]; // 38 107 uint8_t next_attrid[2]; // 40 The next id to be assigned 108 uint8_t f1[2]; // XP Only 109 uint8_t entry[4]; // XP Only - Number of this entry 110 } ntfs_mft; 111 112 /* Magic values for each MFT entry */ 113 #define NTFS_MFT_MAGIC 0x454c4946 114 #define NTFS_MFT_MAGIC_BAAD 0x44414142 115 #define NTFS_MFT_MAGIC_ZERO 0x00000000 116 117 /* MFT entry flags */ 118 #define NTFS_MFT_INUSE 0x0001 119 #define NTFS_MFT_DIR 0x0002 120 121 /* flags for file_ref */ 122 #define NTFS_MFT_BASE 0 /* set when the base file record */ 123 /* Mask when not zero, which indicates the base file record */ 124 #define NTFS_MFT_FILE_REC 0x00ffffffffffffff 125 126 /* DEFINED MFT entries - file system metadata files */ 127 #define NTFS_MFT_MFT 0x0 128 #define NTFS_MFT_MFTMIR 0x1 129 #define NTFS_MFT_LOG 0x2 130 #define NTFS_MFT_VOL 0x3 131 #define NTFS_MFT_ATTR 0x4 132 #define NTFS_MFT_ROOT 0x5 133 #define NTFS_MFT_BMAP 0x6 134 #define NTFS_MFT_BOOT 0x7 135 #define NTFS_MFT_BAD 0x8 136 //#define NTFS_MFT_QUOT 0x9 137 #define NTFS_MFT_SECURE 0x9 138 #define NTFS_MFT_UPCASE 0xA 139 140 141 142 /************************************************************************ 143 * Attribute Header for resident and non-resident attributes 144 */ 145 typedef struct { 146 uint8_t type[4]; 147 uint8_t len[4]; // 4 - length including header 148 uint8_t res; // 8 - resident flag 149 uint8_t nlen; // 9 - name length 150 uint8_t name_off[2]; // 10 - offset to name 151 uint8_t flags[2]; // 12 152 uint8_t id[2]; // 14 - unique identifier 153 154 union { 155 /* Resident Values */ 156 struct { 157 uint8_t ssize[4]; // 16 - size of content 158 uint8_t soff[2]; // 20 - offset to content (after name) 159 uint8_t idxflag[2]; // 22 - indexed flag 160 } r; 161 /* Non-resident Values */ 162 struct { 163 uint8_t start_vcn[8]; // 16 - starting VCN of this attribute 164 uint8_t last_vcn[8]; // 24 165 uint8_t run_off[2]; // 32 - offset to the data runs (after name) 166 uint8_t compusize[2]; // 34 - compression unit size (2^x) 167 uint8_t f1[4]; // 36 168 uint8_t alen[8]; // 40 allocated size of stream 169 uint8_t ssize[8]; // 48 actual size of stream 170 uint8_t initsize[8]; // 56 initialized steam size 171 } nr; 172 } c; 173 } ntfs_attr; 174 175 /* values for the res field */ 176 #define NTFS_MFT_RES 0 /* resident */ 177 #define NTFS_MFT_NONRES 1 /* non-resident */ 178 179 180 /* Values for flag field 181 * should only exist for $DATA attributes */ 182 #define NTFS_ATTR_FLAG_COMP 0x0001 /* compressed */ 183 #define NTFS_ATTR_FLAG_ENC 0x4000 /* encrypted */ 184 #define NTFS_ATTR_FLAG_SPAR 0x8000 /* sparse */ 185 186 187 188 /* values for the type field */ 189 /* NOTE that the default TSK attribute types are based on these. 190 * Any changes to these should be merged with the defines in tsk_fs.h */ 191 #define NTFS_ATYPE_SI 0x10 // 16 192 #define NTFS_ATYPE_ATTRLIST 0x20 // 32 193 #define NTFS_ATYPE_FNAME 0x30 // 48 194 #define NTFS_ATYPE_VVER 0x40 // 64 (NT) 195 #define NTFS_ATYPE_OBJID 0x40 // 64 (2K) 196 #define NTFS_ATYPE_SEC 0x50 // 80 197 #define NTFS_ATYPE_VNAME 0x60 // 96 198 #define NTFS_ATYPE_VINFO 0x70 // 112 199 #define NTFS_ATYPE_DATA 0x80 // 128 200 #define NTFS_ATYPE_IDXROOT 0x90 // 144 201 #define NTFS_ATYPE_IDXALLOC 0xA0 // 160 202 #define NTFS_ATYPE_BITMAP 0xB0 // 176 203 #define NTFS_ATYPE_SYMLNK 0xC0 // 192 (NT) 204 #define NTFS_ATYPE_REPARSE 0xC0 // 192 (2K) 205 #define NTFS_ATYPE_EAINFO 0xD0 // 208 206 #define NTFS_ATYPE_EA 0xE0 // 224 207 #define NTFS_ATYPE_PROP 0xF0 // (NT) 208 #define NTFS_ATYPE_LOG 0x100 // (2K) 209 210 211 212 213 /************************************************************************ 214 * File Name Attribute 215 */ 216 typedef struct { 217 uint8_t par_ref[6]; /* file reference to base File Record of parent */ 218 uint8_t par_seq[2]; /* seq num to base File Record of parent */ 219 uint8_t crtime[8]; /* file creation */ 220 uint8_t mtime[8]; /* file altered */ 221 uint8_t ctime[8]; /* mod time for FILE record (MFT Entry) */ 222 uint8_t atime[8]; /* access time */ 223 uint8_t alloc_fsize[8]; 224 uint8_t real_fsize[8]; 225 uint8_t flags[8]; 226 uint8_t nlen; /* length of file name */ 227 uint8_t nspace; 228 uint8_t name; /* in unicode */ 229 } ntfs_attr_fname; 230 231 /* values for the flags field of attr_fname */ 232 #define NTFS_FNAME_FLAGS_RO 0x0000000000000001 233 #define NTFS_FNAME_FLAGS_HID 0x0000000000000002 234 #define NTFS_FNAME_FLAGS_SYS 0x0000000000000004 235 #define NTFS_FNAME_FLAGS_ARCH 0x0000000000000020 236 #define NTFS_FNAME_FLAGS_DEV 0x0000000000000040 237 #define NTFS_FNAME_FLAGS_NORM 0x0000000000000080 238 #define NTFS_FNAME_FLAGS_TEMP 0x0000000000000100 239 #define NTFS_FNAME_FLAGS_SPAR 0x0000000000000200 240 #define NTFS_FNAME_FLAGS_REP 0x0000000000000400 241 #define NTFS_FNAME_FLAGS_COMP 0x0000000000000800 242 #define NTFS_FNAME_FLAGS_OFF 0x0000000000001000 243 #define NTFS_FNAME_FLAGS_NOIDX 0x0000000000002000 244 #define NTFS_FNAME_FLAGS_ENC 0x0000000000004000 245 #define NTFS_FNAME_FLAGS_DIR 0x0000000010000000 246 #define NTFS_FNAME_FLAGS_IDXVIEW 0x0000000020000000 247 248 249 /* values for the name space values of nspace */ 250 #define NTFS_FNAME_POSIX 0 /* case sensitive and any but NULL and \ */ 251 #define NTFS_FNAME_WIN32 1 // insensitive and restricted 252 #define NTFS_FNAME_DOS 2 // 8.3 format of 8-bit chars in uppercase 253 #define NTFS_FNAME_WINDOS 3 // name in WIN32 space that is already DOS 254 255 256 257 258 /************************************************************************ 259 * Standard Information Attribute 260 */ 261 typedef struct { 262 uint8_t crtime[8]; /* creation date */ 263 uint8_t mtime[8]; /* file altered */ 264 uint8_t ctime[8]; /* MFT Changed */ 265 uint8_t atime[8]; /* last access (read) */ 266 uint8_t dos[4]; /* permissions in DOS Format */ 267 uint8_t maxver[4]; 268 uint8_t ver[4]; 269 uint8_t class_id[4]; 270 uint8_t own_id[4]; 271 uint8_t sec_id[4]; 272 uint8_t quota[8]; 273 uint8_t usn[8]; 274 } ntfs_attr_si; 275 276 277 /* DOS Flags values */ 278 #define NTFS_SI_RO 0x0001 279 #define NTFS_SI_HID 0x0002 280 #define NTFS_SI_SYS 0x0004 281 #define NTFS_SI_ARCH 0x0020 282 #define NTFS_SI_DEV 0x0040 283 #define NTFS_SI_NORM 0x0080 284 #define NTFS_SI_TEMP 0x0100 285 #define NTFS_SI_SPAR 0x0200 286 #define NTFS_SI_REP 0x0400 287 #define NTFS_SI_COMP 0x0800 288 #define NTFS_SI_OFF 0x1000 289 #define NTFS_SI_NOIDX 0x2000 290 #define NTFS_SI_ENC 0x4000 291 292 293 294 /************************************************************************ 295 * Volume Info Attribute 296 */ 297 typedef struct { 298 uint8_t f1[8]; 299 uint8_t maj_ver; 300 uint8_t min_ver; 301 uint8_t flags[2]; 302 uint8_t f2[4]; 303 } ntfs_attr_vinfo; 304 305 #define NTFS_VINFO_DIRTY 0x0001 // Dirty 306 #define NTFS_VINFO_RESLOG 0x0002 // Resize LogFile 307 #define NTFS_VINFO_UPGRAD 0x0004 // Upgrade on Mount 308 #define NTFS_VINFO_MNTNT4 0x0008 // Mounted on NT4 309 #define NTFS_VINFO_DELUSN 0x0010 // Delete USN Underway 310 #define NTFS_VINFO_REPOBJ 0x0020 // Repair Object Ids 311 #define NTFS_VINFO_MODCHK 0x8000 // Modified by chkdsk 312 313 /* versions 314 * NT = Maj=1 Min=2 315 * 2k = Maj=3 Min=0 316 * xp = Maj=3 Min=1 317 */ 318 319 #define NTFS_VINFO_NT 0x21 320 #define NTFS_VINFO_2K 0x03 321 #define NTFS_VINFO_XP 0x13 322 323 324 325 326 /************************************************************************ 327 * attribute list 328 */ 329 typedef struct { 330 uint8_t type[4]; // Attribute Type 331 uint8_t len[2]; // length of entry 332 uint8_t nlen; // number of chars in name 333 uint8_t f1; // 7 334 uint8_t start_vcn[8]; // starting VCN or NTFS_ATTRL_RES 335 uint8_t file_ref[6]; // file reference to new MFT entry 336 uint8_t seq[2]; // 22 337 uint8_t id[2]; // id (also in the attribute header) 338 uint8_t name; // 26 name in unicode 339 } ntfs_attrlist; 340 341 #define NTFS_ATTRL_RES 0 342 343 344 345 346 /************************************************************************ 347 * runlist 348 * 349 * Used to store the non-resident runs for an attribute. 350 * It is located in the MFT and pointed to by the run_off in the header 351 */ 352 353 typedef struct { 354 /* lsb 4 bits: num of bytes in run length field 355 * msb 4 bits: num of bytes in run offset field - (LCN) 356 */ 357 uint8_t len; 358 uint8_t buf[32]; 359 } ntfs_runlist; 360 361 #define NTFS_RUNL_LENSZ(runl) \ 362 (uint8_t)(runl->len & 0x0f) 363 364 #define NTFS_RUNL_OFFSZ(runl) \ 365 (uint8_t)((runl->len & 0xf0) >> 4) 366 367 368 /************************************************************************ 369 * Index root for directories 370 * 371 * the attribute has two parts. The header is general to all index entries 372 * and applies to $IDX_ALLOC as well. The buffer part contains the 373 * index entries that are allocated to $IDX_ROOT. 374 * 375 */ 376 377 /* 378 * Starting at begin_off is a stream of ntfs_idxentry structures 379 * All offsets are relative to start of the ntfs_idxelist structure 380 */ 381 typedef struct { 382 uint8_t begin_off[4]; /* offset to start of seq of idx entries */ 383 uint8_t seqend_off[4]; /* offset to end of seq of idx entries */ 384 uint8_t bufend_off[4]; /* offset to end of idx buffer */ 385 uint8_t flags[4]; 386 } ntfs_idxelist; 387 388 /* value for flags */ 389 #define NTFS_IDXELIST_CHILD 0x1 /* children exist below this node */ 390 391 392 393 /* This is general index information and applies to $IDX_ALLOC as well */ 394 typedef struct { 395 uint8_t type[4]; /* ATYPE that tree is sorted by */ 396 uint8_t collation_rule[4]; 397 uint8_t idxalloc_size_b[4]; /* index alloc size in bytes */ 398 uint8_t idx_size_c; /* index alloc size in clusters */ 399 uint8_t pad[3]; 400 ntfs_idxelist list; 401 } ntfs_idxroot; 402 403 404 405 /************************************************************************ 406 * idxrec 407 * 408 * this is structure for the nodes of the B+ index trees 409 * It contains a list of index entry data structures. Each 410 * buffer corresponds to one node. The $IDX_ALLOC attribute 411 * is an array of these data structures 412 */ 413 414 415 typedef struct { 416 uint8_t magic[4]; /* INDX */ 417 uint8_t upd_off[2]; 418 uint8_t upd_cnt[2]; /* size + 1 */ 419 uint8_t lsn[8]; /* $LogFile Sequence Number */ 420 uint8_t idx_vcn[8]; /* vcn in idx alloc attr */ 421 ntfs_idxelist list; 422 } ntfs_idxrec; 423 424 425 #define NTFS_IDXREC_MAGIC 0x58444e49 /* INDX */ 426 427 428 429 /************************************************************************ 430 * This structure exists for each file and directory in the tree */ 431 typedef struct { 432 uint8_t file_ref[6]; /* file reference (invalid for last entry) */ 433 uint8_t seq_num[2]; /* file reference (invalid for last entry) */ 434 uint8_t idxlen[2]; /* length of the index entry */ 435 uint8_t strlen[2]; /* length of stream */ 436 uint8_t flags; 437 uint8_t f1[3]; 438 uint8_t stream; /* length of strlen - invalid for last entry */ 439 /* loc of subnode is found in last 8-bytes 440 * of idx entry (idxlen - 8). use macro 441 */ 442 } ntfs_idxentry; 443 444 #define NTFS_IDX_SUB 0x01 /* Entry points to a sub-node */ 445 #define NTFS_IDX_LAST 0x02 /* last indx entry in the node */ 446 447 /* return the address of the subnode entry, it is located in the last 448 * 8 bytes of the structure 449 */ 450 #define GET_IDXENTRY_SUB(fs, e) \ 451 (tsk_getu64(fs->endian, (int)e + tsk_getu16(fs->endian, e->idxlen) - 8)) 452 453 454 455 /************************************************************************ 456 */ 457 458 typedef struct { 459 char label[128]; /* label in unicode */ 460 uint8_t type[4]; 461 uint8_t disp[4]; /* display rule */ 462 uint8_t coll[4]; /* collation rule */ 463 uint8_t flags[4]; 464 uint8_t minsize[8]; /* minimum size */ 465 uint8_t maxsize[8]; /* maximum size */ 466 } ntfs_attrdef; 467 468 #define NTFS_ATTRDEF_FLAGS_IDX 0x02 469 #define NTFS_ATTRDEF_FLAGS_RES 0x40 /* always resident */ 470 #define NTFS_ATTRDEF_FLAGS_NONRES 0x80 /* allowed to be non-resident */ 471 472 473 474 /************************************************************************ 475 * OBJECT_ID attribute 476 */ 477 478 typedef struct { 479 // object ID / GUID of the file 480 uint8_t objid1[4]; // little endian 4-byte value 481 uint8_t objid2[2]; // little endian 2-byte value 482 uint8_t objid3[2]; // little endian 2-byte value 483 uint8_t objid4[2]; // big endian 2-byte value 484 uint8_t objid5[2]; // big endian 2-byte value 485 uint8_t objid6[4]; // big endian 4-byte value 486 uint8_t orig_volid1[8]; /* id of "birth" volume */ 487 uint8_t orig_volid2[8]; 488 uint8_t orig_objid1[8]; /* original object id */ 489 uint8_t orig_objid2[8]; 490 uint8_t orig_domid1[8]; /* id of "birth" domain */ 491 uint8_t orig_domid2[8]; 492 } ntfs_attr_objid; 493 494 495 #if TSK_USE_SID 496 497 /************************************************************************ 498 * Self-relative security descriptor 499 */ 500 501 typedef struct { 502 uint8_t revision; /* Revision level of the security descriptor. */ 503 uint8_t pad; 504 uint8_t control[2]; /* Flags qualifying the type of 505 the descriptor as well as the following fields. */ 506 507 uint8_t owner[4]; /* Byte offset to a SID representing an object's 508 owner. If this is NULL, no owner SID is present in 509 the descriptor. */ 510 511 uint8_t group[4]; /* Byte offset to a SID representing an object's 512 primary group. If this is NULL, no primary group 513 SID is present in the descriptor. */ 514 515 uint8_t sacl[4]; /* Byte offset to a system ACL. Only valid, if 516 SE_SACL_PRESENT is set in the control field. If 517 SE_SACL_PRESENT is set but sacl is NULL, a NULL ACL 518 is specified. */ 519 520 uint8_t dacl[4]; /* Byte offset to a discretionary ACL. Only valid, if 521 SE_DACL_PRESENT is set in the control field. If 522 SE_DACL_PRESENT is set but dacl is NULL, a NULL ACL 523 (unconditionally granting access) is specified. */ 524 525 } ntfs_self_relative_security_descriptor; 526 527 528 529 530 /************************************************************************ 531 * Structure used in Security Descriptor lookups 532 */ 533 typedef struct { 534 char *buffer; ///< Buffer to store data in 535 size_t size; ///< Number of bytes in buffer 536 size_t used; ///< Number of records used in the buffer (size depends on type of data stored) 537 } NTFS_SXX_BUFFER; 538 539 540 541 /************************************************************************ 542 * SID attribute 543 */ 544 545 typedef struct { 546 uint8_t revision; /* Revision */ 547 uint8_t sub_auth_count; /* Sub Authority Count */ 548 uint8_t ident_auth[6]; /* NT Authority ::NOTE:: big endian number */ 549 uint32_t sub_auth[1]; /* At least one sub_auth */ 550 } ntfs_sid; 551 552 553 554 /************************************************************************ 555 * SDS attribute 556 */ 557 558 typedef struct { 559 uint8_t hash_sec_desc[4]; /* Hash of Security Descriptor */ 560 uint8_t sec_id[4]; /* Security ID */ 561 uint8_t file_off[8]; /* Offset of this entry in this file */ 562 uint8_t ent_size[4]; /* Size of this entry */ 563 ntfs_self_relative_security_descriptor self_rel_sec_desc; /* Self-relative Security Descriptor */ 564 } ntfs_attr_sds; 565 566 567 /************************************************************************ 568 * SDH attribute 569 */ 570 571 572 typedef struct { 573 uint8_t data_off[2]; /* Offset to data */ 574 uint8_t size[2]; /* Size of data */ 575 uint8_t pad1[4]; /* Padding */ 576 uint8_t ent_size[2]; /* Size of Index Entry */ 577 uint8_t key_size[2]; /* Size of Index Key */ 578 uint8_t flags[2]; /* Flags */ 579 uint8_t pad2[2]; /* Padding */ 580 uint8_t key_hash_sec_desc[4]; /* Hash of Security Descriptor */ 581 uint8_t key_sec_id[4]; /* Security ID */ 582 uint8_t data_hash_sec_desc[4]; /* Hash of Security Descriptor */ 583 uint8_t data_sec_id[4]; /* Security ID */ 584 uint8_t sec_desc_off[8]; /* Offset to Security Descriptor (in $SDS) */ 585 uint8_t sec_desc_size[4]; /* Size of Security Descriptor (in $SDS) */ 586 uint8_t pad3[4]; /* Padding */ 587 } ntfs_attr_sdh; 588 589 590 /************************************************************************ 591 * SII attribute 592 */ 593 594 typedef struct { 595 uint8_t data_off[2]; /* Offset to data */ 596 uint8_t size[2]; /* Size of data */ 597 uint8_t pad1[4]; /* Padding */ 598 uint8_t ent_size[2]; /* Size of Index Entry */ 599 uint8_t key_size[2]; /* Size of Index Key */ 600 uint8_t flags[2]; /* Flags */ 601 uint8_t pad2[2]; /* Padding */ 602 uint8_t key_sec_id[4]; /* Security ID */ 603 uint8_t data_hash_sec_desc[4]; /* Hash of Security Descriptor */ 604 uint8_t data_sec_id[4]; /* Security ID */ 605 uint8_t sec_desc_off[8]; /* Offset to Security Descriptor (in $SDS) */ 606 uint8_t sec_desc_size[4]; /* Size of Security Descriptor (in $SDS) */ 607 608 } ntfs_attr_sii; 609 610 611 #endif 612 613 /* Update Sequence Journal Structures */ 614 /************************************************************************ 615 */ 616 617 618 enum TSK_FS_USN_REASON { 619 TSK_FS_USN_REASON_DATA_OVERWRITE = 0x00000001, 620 TSK_FS_USN_REASON_DATA_EXTEND = 0x00000002, 621 TSK_FS_USN_REASON_DATA_TRUNCATION = 0x00000004, 622 TSK_FS_USN_REASON_NAMED_DATA_OVERWRITE = 0x00000010, 623 TSK_FS_USN_REASON_NAMED_DATA_EXTEND = 0x00000020, 624 TSK_FS_USN_REASON_NAMED_DATA_TRUNCATION = 0x00000040, 625 TSK_FS_USN_REASON_FILE_CREATE = 0x00000100, 626 TSK_FS_USN_REASON_FILE_DELETE = 0x00000200, 627 TSK_FS_USN_REASON_EA_CHANGE = 0x00000400, 628 TSK_FS_USN_REASON_SECURITY_CHANGE = 0x00000800, 629 TSK_FS_USN_REASON_RENAME_OLD_NAME = 0x00001000, 630 TSK_FS_USN_REASON_RENAME_NEW_NAME = 0x00002000, 631 TSK_FS_USN_REASON_INDEXABLE_CHANGE = 0x00004000, 632 TSK_FS_USN_REASON_BASIC_INFO_CHANGE = 0x00008000, 633 TSK_FS_USN_REASON_HARD_LINK_CHANGE = 0x00010000, 634 TSK_FS_USN_REASON_COMPRESSION_CHANGE = 0x00020000, 635 TSK_FS_USN_REASON_ENCRYPTION_CHANGE = 0x00040000, 636 TSK_FS_USN_REASON_OBJECT_ID_CHANGE = 0x00080000, 637 TSK_FS_USN_REASON_REPARSE_POINT_CHANGE = 0x00100000, 638 TSK_FS_USN_REASON_STREAM_CHANGE = 0x00200000, 639 TSK_FS_USN_REASON_CLOSE = 0x80000000 640 }; 641 typedef enum TSK_FS_USN_REASON TSK_FS_USN_REASON; 642 643 644 enum TSK_FS_USN_SOURCE_INFO { 645 TSK_FS_USN_SOURCE_INFO_DATA_MANAGEMENT = 0x01, 646 TSK_FS_USN_SOURCE_INFO_AUXILIARY_DATA = 0x02, 647 TSK_FS_USN_SOURCE_INFO_REPLICATION_MANAGEMENT = 0x04, 648 TSK_FS_USN_SOURCE_INFO_CLIENT_REPLICATION_MANAGEMENT = 0x08 649 }; 650 typedef enum TSK_FS_USN_SOURCE_INFO TSK_FS_USN_SOURCE_INFO; 651 652 653 enum TSK_FS_NTFS_FILE_ATTRIBUTES { 654 TSK_FS_NTFS_FILE_ATTRIBUTE_READONLY = 0x000001, 655 TSK_FS_NTFS_FILE_ATTRIBUTE_HIDDEN = 0x000002, 656 TSK_FS_NTFS_FILE_ATTRIBUTE_SYSTEM = 0x000004, 657 TSK_FS_NTFS_FILE_ATTRIBUTE_DIRECTORY = 0x000010, 658 TSK_FS_NTFS_FILE_ATTRIBUTE_ARCHIVE = 0x000020, 659 TSK_FS_NTFS_FILE_ATTRIBUTE_DEVICE = 0x000040, 660 TSK_FS_NTFS_FILE_ATTRIBUTE_NORMAL = 0x000080, 661 TSK_FS_NTFS_FILE_ATTRIBUTE_TEMPORARY = 0x000100, 662 TSK_FS_NTFS_FILE_ATTRIBUTE_SPARSE_FILE = 0x000200, 663 TSK_FS_NTFS_FILE_ATTRIBUTE_REPARSE_POINT = 0x000400, 664 TSK_FS_NTFS_FILE_ATTRIBUTE_COMPRESSED = 0x000800, 665 TSK_FS_NTFS_FILE_ATTRIBUTE_OFFLINE = 0x001000, 666 TSK_FS_NTFS_FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 0x002000, 667 TSK_FS_NTFS_FILE_ATTRIBUTE_ENCRYPTED = 0x004000, 668 TSK_FS_NTFS_FILE_ATTRIBUTE_INTEGRITY_STREAM = 0x008000, 669 TSK_FS_NTFS_FILE_ATTRIBUTE_VIRTUAL = 0x010000, 670 TSK_FS_NTFS_FILE_ATTRIBUTE_NO_SCRUB_DATA = 0x020000 671 }; 672 typedef enum TSK_FS_NTFS_FILE_ATTRIBUTES TSK_FS_NTFS_FILE_ATTRIBUTES; 673 674 675 typedef struct { 676 uint64_t refnum; 677 uint16_t refnum_seq; 678 uint64_t parent_refnum; 679 uint16_t parent_refnum_seq; 680 uint64_t usn; 681 uint32_t time_sec; 682 uint32_t time_nsec; 683 TSK_FS_USN_REASON reason; 684 TSK_FS_USN_SOURCE_INFO source_info; 685 uint32_t security; 686 TSK_FS_NTFS_FILE_ATTRIBUTES attributes; 687 char *fname; 688 689 } TSK_USN_RECORD_V2; 690 691 692 typedef struct { 693 694 TSK_FS_FILE *fs_file; 695 TSK_INUM_T usnj_inum; 696 uint32_t bsize; 697 698 } NTFS_USNJINFO; 699 700 701 /************************************************************************ 702 */ 703 typedef struct { 704 TSK_FS_INFO fs_info; /* super class */ 705 ntfs_sb *fs; 706 uint8_t ver; /* version of NTFS - uses the VINFO flag */ 707 TSK_FS_FILE *mft_file; /* contains the data for the mft entry for the mft */ 708 const TSK_FS_ATTR *mft_data; /* Data run for MFT entry for MFT */ 709 uint32_t csize_b; /* number of bytes in a cluster */ 710 uint16_t ssize_b; /* number of bytes in a sector */ 711 uint32_t mft_rsize_b; /* number of bytes per mft record */ 712 uint32_t idx_rsize_b; /* number of bytes per idx record */ 713 TSK_DADDR_T root_mft_addr; /* address of first mft entry */ 714 715 uint8_t loading_the_MFT; /* set to 1 when initializing the setup */ 716 717 TSK_FS_ATTR_RUN *bmap; /* Run of bitmap for clusters (linked list) */ 718 719 /* lock protects bmap_buf, bmap_buf_off */ 720 tsk_lock_t lock; 721 char *bmap_buf; /* buffer to hold cached copy of bitmap (r/w shared - lock) */ 722 TSK_DADDR_T bmap_buf_off; /* offset cluster in cached bitmap (r/w shared - lock) */ 723 724 ntfs_attrdef *attrdef; // buffer of attrdef file contents 725 size_t attrdef_len; // length of addrdef buffer 726 727 /* orphan_map_lock protects orphan_map */ 728 tsk_lock_t orphan_map_lock; 729 void *orphan_map; // map that lists par directory to its orphans. (r/w shared - lock) 730 731 #if TSK_USE_SID 732 /* sid_lock protects sii_data, sds_data */ 733 tsk_lock_t sid_lock; 734 NTFS_SXX_BUFFER sii_data; // (r/w shared - lock) 735 NTFS_SXX_BUFFER sds_data; // (r/w shared - lock) 736 #endif 737 738 /* Number of allocated regular files. 0 until a directory is 739 * opened. Currently used by tools that are built on TSK. */ 740 int alloc_file_count; 741 742 NTFS_USNJINFO *usnjinfo; // update sequence number journal 743 } NTFS_INFO; 744 745 746 extern uint32_t nt2unixtime(uint64_t ntdate); 747 extern uint32_t nt2nano(uint64_t ntdate); 748 extern uint8_t ntfs_attrname_lookup(TSK_FS_INFO *, uint16_t, char *, 749 int); 750 extern TSK_RETVAL_ENUM ntfs_dinode_lookup(NTFS_INFO *, char *, 751 TSK_INUM_T); 752 extern TSK_RETVAL_ENUM ntfs_dir_open_meta(TSK_FS_INFO * a_fs, 753 TSK_FS_DIR ** a_fs_dir, TSK_INUM_T a_addr); 754 755 extern void ntfs_orphan_map_free(NTFS_INFO * a_ntfs); 756 757 extern int ntfs_name_cmp(TSK_FS_INFO *, const char *, const char *); 758 759 extern uint8_t ntfs_find_file(TSK_FS_INFO * fs, TSK_INUM_T inode_toid, 760 uint32_t type_toid, uint8_t type_used, uint16_t id_toid, 761 uint8_t id_used, TSK_FS_DIR_WALK_FLAG_ENUM dir_walk_flags, 762 TSK_FS_DIR_WALK_CB action, void *ptr); 763 764 765 #ifdef __cplusplus 766 } 767 #endif 768 #endif 769