summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2012-09-16 18:23:21 +0200
committerChristophe Grenier <grenier@cgsecurity.org>2012-09-16 18:23:21 +0200
commit465a0bf1bdc4a84d170d9e707d36a9dade377577 (patch)
treeba35783ba0fa0e815fdf975740e0262ada28c7f8 /src
parent3147f26997c00712f9545d34740e167f1eb0ce5c (diff)
PhotoRec: detect NTFS MFT record
Diffstat (limited to 'src')
-rw-r--r--src/Makefile.am1
-rw-r--r--src/file_list.c2
-rw-r--r--src/file_mft.c92
-rw-r--r--src/ntfs.h18
4 files changed, 113 insertions, 0 deletions
diff --git a/src/Makefile.am b/src/Makefile.am
index eb35c4a..3228853 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -159,6 +159,7 @@ file_C = filegen.c \
file_mdf.c \
file_mfa.c \
file_mfg.c \
+ file_mft.c \
file_mid.c \
file_mig.c \
file_mk5.c \
diff --git a/src/file_list.c b/src/file_list.c
index f582cd9..2f670f4 100644
--- a/src/file_list.c
+++ b/src/file_list.c
@@ -161,6 +161,7 @@ extern const file_hint_t file_hint_mdb;
extern const file_hint_t file_hint_mdf;
extern const file_hint_t file_hint_mfa;
extern const file_hint_t file_hint_mfg;
+extern const file_hint_t file_hint_mft;
extern const file_hint_t file_hint_mid;
extern const file_hint_t file_hint_mig;
extern const file_hint_t file_hint_mk5;
@@ -414,6 +415,7 @@ file_enable_t list_file_enable[]=
{ .enable=0, .file_hint=&file_hint_mdf },
{ .enable=0, .file_hint=&file_hint_mfa },
{ .enable=0, .file_hint=&file_hint_mfg },
+ { .enable=0, .file_hint=&file_hint_mft },
{ .enable=0, .file_hint=&file_hint_mid },
{ .enable=0, .file_hint=&file_hint_mig },
{ .enable=0, .file_hint=&file_hint_mk5 },
diff --git a/src/file_mft.c b/src/file_mft.c
new file mode 100644
index 0000000..ae88759
--- /dev/null
+++ b/src/file_mft.c
@@ -0,0 +1,92 @@
+/*
+
+ File: file_mft.c
+
+ Copyright (C) 2012 Christophe GRENIER <grenier@cgsecurity.org>
+
+ This software is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write the Free Software Foundation, Inc., 51
+ Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+#include <stdio.h>
+#include "types.h"
+#include "filegen.h"
+#include "common.h"
+#include "ntfs.h"
+
+static void register_header_check_mft(file_stat_t *file_stat);
+static int header_check_mft(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
+
+const file_hint_t file_hint_mft= {
+ .extension="mft",
+ .description="NTFS MFT record",
+ .min_header_distance=0,
+ .max_filesize=PHOTOREC_MAX_FILE_SIZE,
+ .recover=0,
+ .enable_by_default=1,
+ .register_header_check=&register_header_check_mft
+};
+
+static void file_rename_mft(const char *old_filename)
+{
+ unsigned char buffer[512];
+ unsigned char buffer_cluster[32];
+ FILE *file;
+ int buffer_size;
+ const struct ntfs_mft_record *record=(const struct ntfs_mft_record *)&buffer;
+ if((file=fopen(old_filename, "rb"))==NULL)
+ return;
+ buffer_size=fread(buffer, 1, sizeof(buffer), file);
+ fclose(file);
+ if(buffer_size<54)
+ return;
+ sprintf(buffer_cluster, "record_%u", (unsigned int)le32(record->mft_record_number));
+ file_rename(old_filename, buffer_cluster, strlen(buffer_cluster), 0, NULL, 1);
+}
+
+static int header_check_mft(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
+{
+ const struct ntfs_mft_record *mft_rec=(const struct ntfs_mft_record *)buffer;
+ const unsigned int usa_ofs = le16(mft_rec->usa_ofs);
+ const unsigned int usa_count = le16(mft_rec->usa_count);
+ const unsigned int attrs_offset = le16(mft_rec->attrs_offset);
+ const unsigned int bytes_in_use = le32(mft_rec->bytes_in_use);
+ const unsigned int bytes_allocated = le32(mft_rec->bytes_allocated);
+ if(!(memcmp(buffer,"FILE",4)==0 &&
+ usa_ofs+usa_count <= attrs_offset &&
+ 42 <= attrs_offset &&
+ attrs_offset%8==0 &&
+ attrs_offset < bytes_in_use &&
+ bytes_in_use <= bytes_allocated))
+ return 0;
+ reset_file_recovery(file_recovery_new);
+ file_recovery_new->extension=file_hint_mft.extension;
+ file_recovery_new->calculated_file_size=bytes_allocated;
+ file_recovery_new->data_check=&data_check_size;
+ file_recovery_new->file_check=&file_check_size;
+ file_recovery_new->file_rename=&file_rename_mft;
+ return 1;
+}
+
+static void register_header_check_mft(file_stat_t *file_stat)
+{
+ register_header_check(0, "FILE", 4, &header_check_mft, file_stat);
+}
diff --git a/src/ntfs.h b/src/ntfs.h
index 4dae58e..cba2a98 100644
--- a/src/ntfs.h
+++ b/src/ntfs.h
@@ -55,6 +55,24 @@ struct ntfs_boot_sector {
uint8_t bootstrap[426]; /* 0x54 Irrelevant (boot up code). */
uint16_t marker; /* 0x1FE */
} __attribute__ ((__packed__));
+
+struct ntfs_mft_record {
+ uint32_t magic; /* FILE */
+ uint16_t usa_ofs;
+ uint16_t usa_count;
+ uint64_t lsn;
+ uint16_t sequence_number;
+ uint16_t link_count;
+ uint16_t attrs_offset; /* Must be aligned to 8-byte boundary */
+ uint16_t flags;
+ uint32_t bytes_in_use; /* Must be aligned to 8-byte boundary */
+ uint32_t bytes_allocated;
+ uint64_t base_mft_record;
+ uint16_t next_attr_instance;
+ uint16_t reserved; /* NTFS 3.1+ */
+ uint32_t mft_record_number; /* NTFS 3.1+ */
+} __attribute__ ((__packed__));
+
int check_NTFS(disk_t *disk_car,partition_t *partition,const int verbose,const int dump_ind);
int log_ntfs2_info(const struct ntfs_boot_sector *nh1, const struct ntfs_boot_sector *nh2);
int log_ntfs_info(const struct ntfs_boot_sector *ntfs_header);