Investigate update sequence numbers
dkovar opened this issue · comments
http://msdn.microsoft.com/en-us/library/bb470124(v=vs.85).aspx
Google MFT update sequence number
Hope this helps:
Quick MFT Entry Structure from http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html.
The 'Offset to the update sequence' points to the array. The 'Number of entries in fixup array' tells you how many update values are replaced. The update sequence array (or fixup values) contains the replacement bytes for every 511th and 512th byte of the entry. The first two bytes of the array are the value of every 511th and 512th byte, every two bytes after that are the replacement values. This is used by Microsoft for error checking.
The following is an example where the entry (36 [offset 0x9000]) has a very long file name and where the second filename attribute exceeds the first 511 and 512th byte of the entry. Note that the name of the file is testfile_with_long_name_to_get_name_along_the_512th_byte_of_the_mft_entry_to_test_the_uptdate_sequence_array_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test.txt and that the update value replaces the 't' in to of the ‘…mft_entry_to_test_...’ part of the name.
The following is how AnalyseMFT outputs the name:
testfile_with_long_name_to_get_name_along_the_512th_byte_of_the_mft_entry_0x02o_test_the_uptdate_sequence_array_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test_test.txt
Where the 0x02 is used to represent the unprintable update sequence value. This should be an easy fix. While I'm not to great at Python. It looks like you can update this at the following location in your code where you parse the mft record in mft.py:
def parse_record(raw_record, options):
record = {}
record['filename'] = ''
record['notes'] = ''
decodeMFTHeader(record, raw_record);
record_number = record['recordnum']
if options.debug:
print '-->Record number: %d\n\tMagic: %s Attribute offset: %d Flags: %s Size:%d' % (record_number, record['magic'],
record['attr_off'], hex(int(record['flags'])), record['size'])
You could create another function here that would replace every 511th and 512th byte of the raw_record with the update sequence replacement values.