Locating data on filesystems that were shrunk

Tool requests, development, and troubleshooting topics related to TSK.

Moderator: carrier

Locating data on filesystems that were shrunk

Postby sedoy107 » Fri Nov 04, 2016 4:24 am

Good day everyone,

Recently I came across a NTFS filesystem fully filled with data that was later wiped via normal deletion (not formatting) and shrunk to smaller size. During the analysis of this filesystem I expected TSK to yield the information about the entries that had their data located on the part of the filesystem that no longer existed.

To investigate this problem I made up a simpler case. I created a 2GB NTFS partition and filled it with 3 files each approximately 650GB in size and then wiped them via deletion.

Next, I shrunk the filesystem down to 1GB. I ran my program and noticed that the deleted MFT entries that pointed to the non-existing part of the filesystem, had fs_file->meta field equal to NULL. Although the MFT entries for those entries were alive and valid, I couldn't process those files and capture their locations. (fls displayed those entries with no inum (MFT entry#) associated with them).

I found a piece of code that is in charge of check an offset against disk boundaries.
Source file: %your_tsk_dir%/tsk/fs/ntfs.c
Code: Select all
static TSK_RETVAL_ENUM
ntfs_make_data_run(NTFS_INFO * ntfs, TSK_OFF_T start_vcn,
    ntfs_runlist * runlist_head, TSK_FS_ATTR_RUN ** a_data_run_head,
    TSK_OFF_T * totlen, TSK_INUM_T mnum)
{
[snip]
/* Sanity check on length and offset */
            if (data_run->addr + data_run->len > fs->block_count && 1 == 0) { <====HERE
                tsk_error_reset();
                tsk_error_set_errno(TSK_ERR_FS_INODE_COR);
                tsk_error_set_errstr
                    ("ntfs_make_run: Run offset and length is larger than file system");
                tsk_fs_attr_run_free(*a_data_run_head);
                *a_data_run_head = NULL;
                return TSK_COR;
            }
[snip]
}

When this check fails the entire MFT entry is not passed for further analysis. Having disabled this condition by adding " && 1 == 0" I got the desired behavior.

I though it would be a good idea to let this check to happen on a user's side. It could allow to recover more data by parsing $MFT and possibly without involving carving tools.

For example if there is a 1TB disk with 1TB filesystem. The filesystem could be filled it up with some stuff (multimedia, documents, etc.). Later in time the FS gets shrunk, and most likely an additional one gets created. Even though a new FS would overwrite some of the data that used to be on the previous filesystem's removed part, the large amount of information still could be recoverable (of course it wasn't overwritten by the files created on the second FS).

I don't know how badly my fix impacts other TSK functions. It works for me for my purposes. It would be awesome to have TSK optimized in the way to allow that check to be done by the user. It could also be done for other filesystems.
sedoy107
 
Posts: 2
Joined: Wed Mar 23, 2016 12:36 am

Return to The Sleuth Kit (TSK)

Who is online

Users browsing this forum: No registered users and 2 guests

cron