Hashing NTFS Reside...
 
Notifications
Clear all

Hashing NTFS Resident File Data

7 Posts
4 Users
0 Likes
1,340 Views
(@nerimatrixx)
Posts: 26
Eminent Member
Topic starter
 

Hi Everyone, I am a newbie in DF.

I recently came across a MC questions that asked…. "can Resident file data be hash"? To which I answered No; would my answer be correct?

I know NTFS Resident file data is stored within the $MFT Record, and though $MFT can be hashed, I don't think that's what the question meant.

 
Posted : 22/05/2019 11:19 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Hi Everyone, I am a newbie in DF.

I recently came across a MC questions that asked…. "can Resident file data be hash"? To which I answered No; would my answer be correct?

I know NTFS Resident file data is stored within the $MFT Record, and though $MFT can be hashed, I don't think that's what the question meant.

You are wrong with your answer.

The MFT record could be hashed and as you said, that would not be the hash of the file.

Quick background on how MFT records store data and information.
Each MFT entry starts with a Record header, followed by a number of attributes. Normally the Standard Information Attribute, Filename Attribute and a data attribute is the minimum.

The data attribute consists of a standard attribute header (as do all attributes) and this is followed by attribute data which is data runs. These define which clusters the data is located in within the volume.

However, in a resident file the Data runs are stored as a resident data attribute in the MFT record. This consists of an attribute header and attribute data. The attribute data section of the MFT record contains the file data and therefore could be hashed.

I hope this helps

 
Posted : 22/05/2019 11:53 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Maybe it helps if the question is re-formulated as
Can a file (no matter where it is stored) be hashed?
or even more generalized
Can an arbitrary number of contiguous bytes be hashed?

To which the answer is of course yes.

The "tricky" part may be to know/find where to start and where to stop hashing, i.e. the exact position of the start of the file within the $MFT and its actual length, if the file is not accessed through the "normal" filesystem driver, as an example by direct hex carving.

jaclaz

 
Posted : 22/05/2019 2:31 pm
(@nerimatrixx)
Posts: 26
Eminent Member
Topic starter
 

Hi Everyone, I am a newbie in DF.

I recently came across a MC questions that asked…. "can Resident file data be hash"? To which I answered No; would my answer be correct?

I know NTFS Resident file data is stored within the $MFT Record, and though $MFT can be hashed, I don't think that's what the question meant.

You are wrong with your answer.

The MFT record could be hashed and as you said, that would not be the hash of the file.

Quick background on how MFT records store data and information.
Each MFT entry starts with a Record header, followed by a number of attributes. Normally the Standard Information Attribute, Filename Attribute and a data attribute is the minimum.

The data attribute consists of a standard attribute header (as do all attributes) and this is followed by attribute data which is data runs. These define which clusters the data is located in within the volume.

However, in a resident file the Data runs are stored as a resident data attribute in the MFT record. This consists of an attribute header and attribute data. The attribute data section of the MFT record contains the file data and therefore could be hashed.

I hope this helps

You are right!

For a .txt file, I could just copy & paste the data into notepad, save the data and then hash that new file.

Plus if the file is not deleted, I can always go to the file path and hash the file just as any other file.

I think they added 'Resident file' as a trick…which I clearly fell for. ( (

 
Posted : 23/05/2019 2:06 am
(@nerimatrixx)
Posts: 26
Eminent Member
Topic starter
 

Maybe it helps if the question is re-formulated as
Can a file (no matter where it is stored) be hashed?
or even more generalized
Can an arbitrary number of contiguous bytes be hashed?

To which the answer is of course yes.

The "tricky" part may be to know/find where to start and where to stop hashing, i.e. the exact position of the start of the file within the $MFT and its actual length, if the file is not accessed through the "normal" filesystem driver, as an example by direct hex carving.

jaclaz

It was definitely a trick question, I clearly see it now.

 
Posted : 23/05/2019 2:18 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It was definitely a trick question, I clearly see it now.

Yep, but don't worry, trick questions are common enough, it happens to everyone to fall for them.

If you have the possibility you could ask back how long can a resident file be, which is also a tricky enough question, as it depends on how it is written 😯 and how long is its filename, besides disk sector size, JFYI
https://www.forensicfocus.com/Forums/viewtopic/t=10403/

jaclaz

 
Posted : 23/05/2019 8:38 am
(@mscotgrove)
Posts: 938
Prominent Member
 

Be very careful about a Copy and paste into something like notepad. It can sometimes modify line endings, eg a CR to CRLF. The change may not be visible when viewing but the hash will be different.

Always make sure that such an action does not change the data - any single bit change is a new hash

 
Posted : 23/05/2019 10:08 am
Share: