In this post, I wanted to visit the concept of signed vs. unsigned integers from a forensic point-of-view. Many investigators are trained to use tools to view cases from the software vendor point-of-view without understanding basic computer science concepts.
I wanted to look at symbolic links, look at the MFT record for the created hard link, and examine what happens when a long filename link with a hard link created that also have a long filename. These steps were repeated at least three times using Microsoft Windows [Version 6.1.7601], NTFS version 3.1.
1. Created test file with a long file name since hard links do not work on folders.
2. Created a hard link to the test file and named the link also a long file name.
C:\temp>copy con testingLongFilename.txt
hello again
^Z
1 file(s) copied.
C:\temp>mklink /h hardlinktolongfile.txt testingLongFilename.txt
Hardlink created for hardlinktolongfile.txt <<===>> testingLongFilename.txt
C:\temp>dir
02/09/2014 07:51 PM 13 hardlinktolongfile.txt
02/09/2014 06:24 PM <SYMLINK> hello [c:\temp]
02/09/2014 06:25 PM <SYMLINKD> hello2 [c:\temp]
02/09/2014 06:26 PM <JUNCTION> hello3 [c:\temp]
02/09/2014 06:44 PM 7 testfile.txt
02/09/2014 07:51 PM 13 testingLongFilename.txt
3. The resulting MFT record was examined and noticed the MFT record reflects the long and short file names noted by the first two $30 FileName attributes, but the hard link only had a single $30 attribute. The file names of the source and target resides in the same resident MFT record where the length of the NTFS name record shows 0x88.
Note: Microsoft documentation lists flags 0x01 for NTFS and 0x02 for DOS file name flags,
but did not list the 0x00 for hard link filename flag ( red circles ) .
So, in interpreting 0x88, it can be read as 136 or -120 depending on the data type.
Recipe - Two's complement to find the signed decimal value of a Base-16 ( Hex ) value
1. Convert to binary
2. Add -1
a. If the result starts with a one, the result is negative
3. Flip the result bits
128 64 32 16 8 4 2 1
128 64 32 16 8 4 2 1
1 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0x88 |
1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | +(-1) |
1 | 0 | 0 | 0 | 0 | 1 | 1 | 1 | result |
0 | 1 | 1 | 1 | 1 | 0 | 0 | 0 | flip bits |
-120 | ||||||||
Thus, the hex value 0x88 can be interpreted 136 as unsigned integer and -120 as signed integer. Signed integers are used in the MFT table entries for the cluster runs, so be careful with interpretation. In this case, the attribute length is 136 bytes.
No comments:
Post a Comment