±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35755
New Yesterday: 5 Visitors: 134

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Hashing NTFS Resident File Data

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

NeriMatrixx
Newbie
 

Hashing NTFS Resident File Data

Post Posted: May 22, 19 11:19

Hi Everyone, I am a newbie in DF.

I recently came across a MC questions that asked.... "can Resident file data be hash"? To which I answered No; would my answer be correct?

I know NTFS Resident file data is stored within the $MFT Record, and though $MFT can be hashed, I don't think that's what the question meant.  
 
  

minime2k9
Senior Member
 

Re: Hashing NTFS Resident File Data

Post Posted: May 22, 19 11:53

- NeriMatrixx
Hi Everyone, I am a newbie in DF.

I recently came across a MC questions that asked.... "can Resident file data be hash"? To which I answered No; would my answer be correct?

I know NTFS Resident file data is stored within the $MFT Record, and though $MFT can be hashed, I don't think that's what the question meant.


You are wrong with your answer.

The MFT record could be hashed and as you said, that would not be the hash of the file.

Quick background on how MFT records store data and information.
Each MFT entry starts with a Record header, followed by a number of attributes. Normally the Standard Information Attribute, Filename Attribute and a data attribute is the minimum.

The data attribute consists of a standard attribute header (as do all attributes) and this is followed by attribute data which is data runs. These define which clusters the data is located in within the volume.

However, in a resident file the Data runs are stored as a resident data attribute in the MFT record. This consists of an attribute header and attribute data. The attribute data section of the MFT record contains the file data and therefore could be hashed.

I hope this helps  
 
  

jaclaz
Senior Member
 

Re: Hashing NTFS Resident File Data

Post Posted: May 22, 19 14:31

Maybe it helps if the question is re-formulated as:
Can a file (no matter where it is stored) be hashed?
or even more generalized:
Can an arbitrary number of contiguous bytes be hashed?

To which the answer is of course yes.

The "tricky" part may be to know/find where to start and where to stop hashing, i.e. the exact position of the start of the file within the $MFT and its actual length, if the file is not accessed through the "normal" filesystem driver, as an example by direct hex carving.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

NeriMatrixx
Newbie
 

Re: Hashing NTFS Resident File Data

Post Posted: May 23, 19 02:06

- minime2k9
- NeriMatrixx
Hi Everyone, I am a newbie in DF.

I recently came across a MC questions that asked.... "can Resident file data be hash"? To which I answered No; would my answer be correct?

I know NTFS Resident file data is stored within the $MFT Record, and though $MFT can be hashed, I don't think that's what the question meant.


You are wrong with your answer.

The MFT record could be hashed and as you said, that would not be the hash of the file.

Quick background on how MFT records store data and information.
Each MFT entry starts with a Record header, followed by a number of attributes. Normally the Standard Information Attribute, Filename Attribute and a data attribute is the minimum.

The data attribute consists of a standard attribute header (as do all attributes) and this is followed by attribute data which is data runs. These define which clusters the data is located in within the volume.

However, in a resident file the Data runs are stored as a resident data attribute in the MFT record. This consists of an attribute header and attribute data. The attribute data section of the MFT record contains the file data and therefore could be hashed.

I hope this helps



You are right!

For a .txt file, I could just copy & paste the data into notepad, save the data and then hash that new file.

Plus if the file is not deleted, I can always go to the file path and hash the file just as any other file.

I think they added 'Resident file' as a trick...which I clearly fell for. Sad Sad  
 
  

NeriMatrixx
Newbie
 

Re: Hashing NTFS Resident File Data

Post Posted: May 23, 19 02:18

- jaclaz
Maybe it helps if the question is re-formulated as:
Can a file (no matter where it is stored) be hashed?
or even more generalized:
Can an arbitrary number of contiguous bytes be hashed?

To which the answer is of course yes.

The "tricky" part may be to know/find where to start and where to stop hashing, i.e. the exact position of the start of the file within the $MFT and its actual length, if the file is not accessed through the "normal" filesystem driver, as an example by direct hex carving.

jaclaz



It was definitely a trick question, I clearly see it now.  
 
  

jaclaz
Senior Member
 

Re: Hashing NTFS Resident File Data

Post Posted: May 23, 19 08:38

- NeriMatrixx

It was definitely a trick question, I clearly see it now.

Yep, but don't worry, trick questions are common enough, it happens to everyone to fall for them.

If you have the possibility you could ask back how long can a resident file be, which is also a tricky enough question, as it depends on how it is written Shocked and how long is its filename, besides disk sector size, JFYI:
www.forensicfocus.com/...c/t=10403/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

mscotgrove
Senior Member
 

Re: Hashing NTFS Resident File Data

Post Posted: May 23, 19 10:08

Be very careful about a Copy and paste into something like notepad. It can sometimes modify line endings, eg a CR to CRLF. The change may not be visible when viewing but the hash will be different.

Always make sure that such an action does not change the data - any single bit change is a new hash
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 

Page 1 of 1