ntfs.h

Go to the documentation of this file.
00001 /*
00002 ** The Sleuth Kit
00003 **
00004 ** $Date: 2007/11/29 02:21:43 $
00005 **
00006 ** Brian Carrier [carrier@sleuthkit.org]
00007 ** Copyright (c) 2003-2005 Brian Carrier.  All rights reserved
00008 **
00009 ** TASK
00010 ** Copyright (c) 2002 @stake Inc.  All rights reserved
00011 */
00012 
00018 #ifndef _NTFS_H
00019 #define _NTFS_H
00020 
00021 #ifdef __cplusplus
00022 extern "C" {
00023 #endif
00024 
00025 
00026 // the SID code has been buggy on some systems and byitself it does
00027 // not provide much security info.  It is being disabled until fixed. 
00028 #define TSK_USE_SID 0
00029 
00030 //#define NTFS_FS_MAGIC 0x5346544E      /* "NTFS" in little endian */
00031 #define NTFS_FS_MAGIC   0xAA55
00032 #define NTFS_DEV_BSIZE  512
00033 
00034 #define NTFS_MAXNAMLEN  256
00035 #define NTFS_MAXNAMLEN_UTF8     4 * NTFS_MAXNAMLEN
00036 
00037 /* location of the Root Directory inode */
00038 #define NTFS_ROOTINO    NTFS_MFT_ROOT
00039 #define NTFS_FIRSTINO   0       /* location of the $Mft Record */
00040 #define NTFS_LAST_DEFAULT_INO   16      /* A guess for right now */
00041 
00042 #define NTFS_NDADDR                     0
00043 #define NTFS_NIADDR                     0
00044 
00045 /* uncompression values */
00046 #define NTFS_TOKEN_MASK   1
00047 #define NTFS_SYMBOL_TOKEN 0
00048 #define NTFS_TOKEN_LENGTH 8
00049 /* (64 * 1024) = 65536 */
00050 #define NTFS_MAX_UNCOMPRESSION_BUFFER_SIZE 65536
00051 
00052 
00053 
00054 /************************************************************************
00055  * Update sequence structure.  This is located at upd_off from the
00056  * begining of the original structure
00057  */
00058     typedef struct {
00059         uint8_t upd_val[2];     // what they should be 
00060         uint8_t upd_seq;        // array of size 2*(upd_cnt-1) w/orig vals
00061     } ntfs_upd;
00062 
00063 
00064 /************************************************************************
00065  * bootsector
00066  *
00067  * located in sector 0 in $Boot
00068  */
00069     typedef struct {
00070         uint8_t f1[3];          // 0
00071         char oemname[8];        // 3
00072         uint8_t ssize[2];       // 11   /* sector size in bytes */
00073         uint8_t csize;          // 13  /* sectors per cluster */
00074         uint8_t f2[26];         // 14
00075         uint8_t vol_size_s[8];  // 40   /*size of volume in sectors */
00076         uint8_t mft_clust[8];   // 48   /* location of MFT */
00077         uint8_t mftm_clust[8];  // 56    /* location of MFT mirror */
00078         int8_t mft_rsize_c;     // 64      /* number of clusters per mft record */
00079         uint8_t f3[3];
00080         int8_t idx_rsize_c;     // 68      /* number of clus per idx rec */
00081         uint8_t f4[3];
00082         uint8_t serial[8];      // 72   /* serial number */
00083         uint8_t f5[430];        //80
00084         uint8_t magic[2];
00085     } ntfs_sb;
00086 
00087 
00088 
00089 /************************************************************************
00090  * MFT Entry
00091  *
00092  * One entry in the MFT - there exists one for each file
00093  */
00094     typedef struct {
00095         uint8_t magic[4];
00096         uint8_t upd_off[2];     // 4
00097         uint8_t upd_cnt[2];     // 6  size+1
00098         uint8_t lsn[8];         // 8  $LogFile Sequence Number
00099         uint8_t seq[2];         // 16
00100         uint8_t link[2];        // 18
00101         uint8_t attr_off[2];    // 20
00102         uint8_t flags[2];       // 22
00103         uint8_t size[4];        // 24
00104         uint8_t alloc_size[4];  //28
00105         uint8_t base_ref[6];    // 32 
00106         uint8_t base_seq[2];    // 38 
00107         uint8_t next_attrid[2]; // 40 The next id to be assigned
00108         uint8_t f1[2];          // XP Only
00109         uint8_t entry[4];       // XP Only - Number of this entry
00110     } ntfs_mft;
00111 
00112 /* Magic values for each MFT entry */
00113 #define NTFS_MFT_MAGIC  0x454c4946
00114 #define NTFS_MFT_MAGIC_BAAD     0x44414142
00115 #define NTFS_MFT_MAGIC_ZERO     0x00000000
00116 
00117 /* MFT entry flags */
00118 #define NTFS_MFT_INUSE  0x0001
00119 #define NTFS_MFT_DIR    0x0002
00120 
00121 /* flags for file_ref */
00122 #define NTFS_MFT_BASE           0       /* set when the base file record */
00123 /* Mask when not zero, which indicates the base file record */
00124 #define NTFS_MFT_FILE_REC       0x00ffffffffffffff
00125 
00126 /* DEFINED MFT entries - file system metadata files */
00127 #define NTFS_MFT_MFT    0x0
00128 #define NTFS_MFT_MFTMIR 0x1
00129 #define NTFS_MFT_LOG    0x2
00130 #define NTFS_MFT_VOL    0x3
00131 #define NTFS_MFT_ATTR   0x4
00132 #define NTFS_MFT_ROOT   0x5
00133 #define NTFS_MFT_BMAP   0x6
00134 #define NTFS_MFT_BOOT   0x7
00135 #define NTFS_MFT_BAD    0x8
00136 //#define NTFS_MFT_QUOT 0x9
00137 #define NTFS_MFT_SECURE 0x9
00138 #define NTFS_MFT_UPCASE 0xA
00139 
00140 
00141 
00142 /************************************************************************
00143  * Attribute Header for resident and non-resident attributes
00144  */
00145     typedef struct {
00146         uint8_t type[4];
00147         uint8_t len[4];         // 4 - length including header
00148         uint8_t res;            // 8 - resident flag
00149         uint8_t nlen;           // 9 - name length
00150         uint8_t name_off[2];    // 10 - offset to name 
00151         uint8_t flags[2];       // 12  
00152         uint8_t id[2];          // 14 - unique identifier
00153 
00154         union {
00155             /* Resident Values */
00156             struct {
00157                 uint8_t ssize[4];       // 16 - size of content
00158                 uint8_t soff[2];        // 20 - offset to content (after name)
00159                 uint8_t idxflag[2];     // 22 - indexed flag 
00160             } r;
00161             /* Non-resident Values */
00162             struct {
00163                 uint8_t start_vcn[8];   // 16 - starting VCN of this attribute
00164                 uint8_t last_vcn[8];    // 24
00165                 uint8_t run_off[2];     // 32 - offset to the data runs (after name)
00166                 uint8_t compusize[2];   // 34 - compression unit size (2^x)
00167                 uint8_t f1[4];  // 36
00168                 uint8_t alen[8];        // 40   allocated size of stream
00169                 uint8_t ssize[8];       // 48   actual size of stream
00170                 uint8_t initsize[8];    // 56   initialized steam size
00171             } nr;
00172         } c;
00173     } ntfs_attr;
00174 
00175 /* values for the res field */
00176 #define NTFS_MFT_RES    0       /* resident */
00177 #define NTFS_MFT_NONRES 1       /* non-resident */
00178 
00179 
00180 /* Values for flag field 
00181  * should only exist for $DATA attributes */
00182 #define NTFS_ATTR_FLAG_COMP     0x0001  /* compressed */
00183 #define NTFS_ATTR_FLAG_ENC      0x4000  /* encrypted */
00184 #define NTFS_ATTR_FLAG_SPAR     0x8000  /* sparse */
00185 
00186 
00187 
00188 /* values for the type field */
00189 #define NTFS_ATYPE_SI       0x10        // 16
00190 #define NTFS_ATYPE_ATTRLIST 0x20        // 32
00191 #define NTFS_ATYPE_FNAME    0x30        // 48
00192 #define NTFS_ATYPE_VVER     0x40        // 64 (NT)
00193 #define NTFS_ATYPE_OBJID    0x40        // 64 (2K)
00194 #define NTFS_ATYPE_SEC      0x50        // 80
00195 #define NTFS_ATYPE_VNAME    0x60        // 96
00196 #define NTFS_ATYPE_VINFO    0x70        // 112
00197 #define NTFS_ATYPE_DATA     0x80        // 128
00198 #define NTFS_ATYPE_IDXROOT  0x90        // 144
00199 #define NTFS_ATYPE_IDXALLOC 0xA0        // 160
00200 #define NTFS_ATYPE_BITMAP   0xB0        // 176
00201 #define NTFS_ATYPE_SYMLNK   0xC0        // 192 (NT)
00202 #define NTFS_ATYPE_REPARSE  0xC0        // 192 (2K)
00203 #define NTFS_ATYPE_EAINFO   0xD0        // 208
00204 #define NTFS_ATYPE_EA       0xE0        // 224
00205 #define NTFS_ATYPE_PROP     0xF0        //  (NT)
00206 #define NTFS_ATYPE_LOG      0x100       //  (2K)
00207 
00208 
00209 
00210 
00211 /************************************************************************
00212  * File Name Attribute
00213  */
00214     typedef struct {
00215         uint8_t par_ref[6];     /* file reference to base File Record of parent */
00216         uint8_t par_seq[2];     /* seq num to base File Record of parent */
00217         uint8_t crtime[8];      /* file creation */
00218         uint8_t mtime[8];       /* file altered */
00219         uint8_t ctime[8];       /* mod time for FILE record (MFT Entry) */
00220         uint8_t atime[8];       /* access time */
00221         uint8_t alloc_fsize[8];
00222         uint8_t real_fsize[8];
00223         uint8_t flags[8];
00224         uint8_t nlen;           /* length of file name */
00225         uint8_t nspace;
00226         uint8_t name;           /* in unicode */
00227     } ntfs_attr_fname;
00228 
00229 /* values for the flags field of attr_fname */
00230 #define NTFS_FNAME_FLAGS_RO             0x0000000000000001
00231 #define NTFS_FNAME_FLAGS_HID    0x0000000000000002
00232 #define NTFS_FNAME_FLAGS_SYS    0x0000000000000004
00233 #define NTFS_FNAME_FLAGS_ARCH   0x0000000000000020
00234 #define NTFS_FNAME_FLAGS_DEV    0x0000000000000040
00235 #define NTFS_FNAME_FLAGS_NORM   0x0000000000000080
00236 #define NTFS_FNAME_FLAGS_TEMP   0x0000000000000100
00237 #define NTFS_FNAME_FLAGS_SPAR   0x0000000000000200
00238 #define NTFS_FNAME_FLAGS_REP    0x0000000000000400
00239 #define NTFS_FNAME_FLAGS_COMP   0x0000000000000800
00240 #define NTFS_FNAME_FLAGS_OFF    0x0000000000001000
00241 #define NTFS_FNAME_FLAGS_NOIDX  0x0000000000002000
00242 #define NTFS_FNAME_FLAGS_ENC    0x0000000000004000
00243 #define NTFS_FNAME_FLAGS_DIR            0x0000000010000000
00244 #define NTFS_FNAME_FLAGS_IDXVIEW        0x0000000020000000
00245 
00246 
00247 /* values for the name space values of nspace */
00248 #define NTFS_FNAME_POSIX        0       /* case sensitive  and any but NULL and \ */
00249 #define NTFS_FNAME_WIN32        1       // insensitive and restricted
00250 #define NTFS_FNAME_DOS          2       // 8.3 format of 8-bit chars in uppercase
00251 #define NTFS_FNAME_WINDOS       3       // name in WIN32 space that is already DOS
00252 
00253 
00254 
00255 
00256 /************************************************************************
00257  * Standard Information Attribute
00258  */
00259     typedef struct {
00260         uint8_t crtime[8];      /* creation date */
00261         uint8_t mtime[8];       /* file altered */
00262         uint8_t ctime[8];       /* MFT Changed */
00263         uint8_t atime[8];       /* last access (read) */
00264         uint8_t dos[4];         /* permissions in DOS Format */
00265         uint8_t maxver[4];
00266         uint8_t ver[4];
00267         uint8_t class_id[4];
00268         uint8_t own_id[4];
00269         uint8_t sec_id[4];
00270         uint8_t quota[8];
00271         uint8_t usn[8];
00272     } ntfs_attr_si;
00273 
00274 
00275 /* DOS Flags values */
00276 #define NTFS_SI_RO              0x0001
00277 #define NTFS_SI_HID             0x0002
00278 #define NTFS_SI_SYS             0x0004
00279 #define NTFS_SI_ARCH    0x0020
00280 #define NTFS_SI_DEV             0x0040
00281 #define NTFS_SI_NORM    0x0080
00282 #define NTFS_SI_TEMP    0x0100
00283 #define NTFS_SI_SPAR    0x0200
00284 #define NTFS_SI_REP             0x0400
00285 #define NTFS_SI_COMP    0x0800
00286 #define NTFS_SI_OFF             0x1000
00287 #define NTFS_SI_NOIDX   0x2000
00288 #define NTFS_SI_ENC             0x4000
00289 
00290 
00291 
00292 /************************************************************************
00293  * Volume Info Attribute
00294  */
00295     typedef struct {
00296         uint8_t f1[8];
00297         uint8_t maj_ver;
00298         uint8_t min_ver;
00299         uint8_t flags[2];
00300         uint8_t f2[4];
00301     } ntfs_attr_vinfo;
00302 
00303 #define NTFS_VINFO_DIRTY        0x0001  // Dirty
00304 #define NTFS_VINFO_RESLOG       0x0002  // Resize LogFile
00305 #define NTFS_VINFO_UPGRAD       0x0004  // Upgrade on Mount
00306 #define NTFS_VINFO_MNTNT4       0x0008  // Mounted on NT4
00307 #define NTFS_VINFO_DELUSN       0x0010  // Delete USN Underway
00308 #define NTFS_VINFO_REPOBJ       0x0020  // Repair Object Ids
00309 #define NTFS_VINFO_MODCHK       0x8000  // Modified by chkdsk
00310 
00311 /* versions 
00312  * NT = Maj=1 Min=2
00313  * 2k = Maj=3 Min=0
00314  * xp = Maj=3 Min=1
00315  */
00316 
00317 #define NTFS_VINFO_NT           0x21
00318 #define NTFS_VINFO_2K           0x03
00319 #define NTFS_VINFO_XP           0x13
00320 
00321 
00322 
00323 
00324 /************************************************************************
00325  * attribute list 
00326  */
00327     typedef struct {
00328         uint8_t type[4];        // Attribute Type
00329         uint8_t len[2];         // length of entry
00330         uint8_t nlen;           // number of chars in name
00331         uint8_t f1;             // 7
00332         uint8_t start_vcn[8];   // starting VCN or NTFS_ATTRL_RES 
00333         uint8_t file_ref[6];    // file reference to new MFT entry
00334         uint8_t seq[2];         // 22
00335         uint8_t id[2];          // id (also in the attribute header)
00336         uint8_t name;           // 26  name in unicode
00337     } ntfs_attrlist;
00338 
00339 #define NTFS_ATTRL_RES  0
00340 
00341 
00342 
00343 
00344 /************************************************************************
00345  * runlist
00346  * 
00347  * Used to store the non-resident runs for an attribute.
00348  * It is located in the MFT and pointed to by the run_off in the header
00349  */
00350 
00351     typedef struct {
00352         /* lsb 4 bits: num of bytes in run length field
00353          * msb 4 bits: num of bytes in run offset field - (LCN)
00354          */
00355         uint8_t len;
00356         uint8_t buf[32];
00357     } ntfs_runlist;
00358 
00359 #define NTFS_RUNL_LENSZ(runl)   \
00360         (uint8_t)(runl->len & 0x0f)
00361 
00362 #define NTFS_RUNL_OFFSZ(runl)   \
00363         (uint8_t)((runl->len & 0xf0) >> 4)
00364 
00365 
00366 /************************************************************************
00367  * Index root for directories 
00368  * 
00369  * the attribute has two parts.  The header is general to all index entries
00370  * and applies to $IDX_ALLOC as well. The buffer part contains the
00371  * index entries that are allocated to $IDX_ROOT.
00372  *
00373  */
00374 
00375 /*
00376  * Starting at begin_off is a stream of ntfs_idxentry structures 
00377  */
00378     typedef struct {
00379         uint8_t begin_off[4];   /* offset to start of seq of idx entries */
00380         uint8_t seqend_off[4];  /* offset to end of seq of idx entries */
00381         uint8_t bufend_off[4];  /* offset to end of idx buffer */
00382         uint8_t flags[4];
00383     } ntfs_idxelist;
00384 
00385 /* value for flags */
00386 #define NTFS_IDXELIST_CHILD     0x1     /* children exist below this node */
00387 
00388 
00389 
00390 /* This is general index information and applies to $IDX_ALLOC as well */
00391     typedef struct {
00392         uint8_t type[4];        /* ATYPE that tree is sorted by */
00393         uint8_t collation_rule[4];
00394         uint8_t idxalloc_size_b[4];     /* index alloc size in bytes */
00395         uint8_t idx_size_c;     /* index alloc size in clusters */
00396         uint8_t pad[3];
00397         ntfs_idxelist list;
00398     } ntfs_idxroot;
00399 
00400 
00401 
00402 /************************************************************************
00403  * idxrec
00404  *
00405  * this is structure for the nodes of the B+ index trees
00406  * It contains a list of index entry data structures.  Each
00407  * buffer corresponds to one node.  The $IDX_ALLOC attribute
00408  * is an array of these data structures 
00409  */
00410 
00411 
00412     typedef struct {
00413         uint8_t magic[4];       /* INDX */
00414         uint8_t upd_off[2];
00415         uint8_t upd_cnt[2];     /* size + 1 */
00416         uint8_t lsn[8];         /*  $LogFile Sequence Number */
00417         uint8_t idx_vcn[8];     /* vcn in idx alloc attr */
00418         ntfs_idxelist list;
00419     } ntfs_idxrec;
00420 
00421 
00422 #define NTFS_IDXREC_MAGIC       0x58444e49      /* INDX */
00423 
00424 
00425 
00426 /************************************************************************
00427  * This structure exists for each file and directory in the tree */
00428     typedef struct {
00429         uint8_t file_ref[6];    /* file reference (invalid for last entry) */
00430         uint8_t seq_num[2];     /* file reference (invalid for last entry) */
00431         uint8_t idxlen[2];      /* length of the index entry */
00432         uint8_t strlen[2];      /* length of stream */
00433         uint8_t flags;
00434         uint8_t f1[3];
00435         uint8_t stream;         /* length of strlen - invalid for last entry */
00436         /* loc of subnode is found in last 8-bytes
00437          * of idx entry (idxlen - 8).  use macro 
00438          */
00439     } ntfs_idxentry;
00440 
00441 #define NTFS_IDX_SUB    0x01    /* Entry points to a sub-node */
00442 #define NTFS_IDX_LAST   0x02    /* last indx entry in the node */
00443 
00444 /* return the address of the subnode entry, it is located in the last
00445  * 8 bytes of the structure 
00446  */
00447 #define GET_IDXENTRY_SUB(fs, e) \
00448         (tsk_getu64(fs->endian, (int)e + tsk_getu16(fs->endian, e->idxlen) - 8))
00449 
00450 
00451 
00452 /************************************************************************
00453 */
00454 
00455     typedef struct {
00456         char label[128];        /* label in unicode */
00457         uint8_t type[4];
00458         uint8_t disp[4];        /* display rule */
00459         uint8_t coll[4];        /* collation rule */
00460         uint8_t flags[4];
00461         uint8_t minsize[8];     /* minimum size */
00462         uint8_t maxsize[8];     /* maximum size */
00463     } ntfs_attrdef;
00464 
00465 #define NTFS_ATTRDEF_FLAGS_IDX  0x02
00466 #define NTFS_ATTRDEF_FLAGS_RES  0x40    /* always resident */
00467 #define NTFS_ATTRDEF_FLAGS_NONRES       0x80    /* allowed to be non-resident */
00468 
00469 
00470 
00471 /************************************************************************
00472  * OBJECT_ID attribute
00473 */
00474 
00475     typedef struct {
00476         uint8_t objid1[8];      /* object id of file or directory */
00477         uint8_t objid2[8];
00478         uint8_t orig_volid1[8]; /* id of "birth" volume */
00479         uint8_t orig_volid2[8];
00480         uint8_t orig_objid1[8]; /* original object id */
00481         uint8_t orig_objid2[8];
00482         uint8_t orig_domid1[8]; /* id of "birth" domain */
00483         uint8_t orig_domid2[8];
00484     } ntfs_attr_objid;
00485 
00486 
00487 #if TSK_USE_SID
00488 
00489 /************************************************************************
00490  * Self-relative security descriptor
00491  */
00492 
00493     typedef struct {
00494         uint8_t revision;       /* Revision level of the security descriptor. */
00495         uint8_t pad;
00496         uint8_t control[2];     /* Flags qualifying the type of
00497                                    the descriptor as well as the following fields. */
00498 
00499         uint8_t owner[4];       /* Byte offset to a SID representing an object's
00500                                    owner. If this is NULL, no owner SID is present in
00501                                    the descriptor. */
00502 
00503         uint8_t group[4];       /* Byte offset to a SID representing an object's
00504                                    primary group. If this is NULL, no primary group
00505                                    SID is present in the descriptor. */
00506 
00507         uint8_t sacl[4];        /* Byte offset to a system ACL. Only valid, if
00508                                    SE_SACL_PRESENT is set in the control field. If
00509                                    SE_SACL_PRESENT is set but sacl is NULL, a NULL ACL
00510                                    is specified. */
00511 
00512         uint8_t dacl[4];        /* Byte offset to a discretionary ACL. Only valid, if
00513                                    SE_DACL_PRESENT is set in the control field. If
00514                                    SE_DACL_PRESENT is set but dacl is NULL, a NULL ACL
00515                                    (unconditionally granting access) is specified. */
00516 
00517     } ntfs_self_relative_security_descriptor;
00518 
00519 
00520 
00521 
00522 /************************************************************************
00523  * Structure used in Security Descriptor lookups
00524  */
00525     typedef struct {
00526         char *buffer;
00527         size_t size;
00528         size_t used;
00529     } NTFS_SXX_BUFFER;
00530 
00531 
00532 
00533 /************************************************************************
00534  * SID attribute
00535  */
00536 
00537     typedef struct {
00538         uint8_t revision;       /* Revision */
00539         uint8_t sub_auth_count; /* Sub Authority Count */
00540         uint8_t ident_auth[6];  /* NT Authority ::NOTE:: big endian number */
00541         uint32_t sub_auth[1];   /* At least one sub_auth */
00542     } ntfs_sid;
00543 
00544     void ntfs_print_sid(TSK_FS_INFO * fs, FILE * hFile);
00545 
00546     char *ntfs_get_sid_as_string(TSK_FS_INFO * fs, uint32_t security_id);
00547 
00548 
00549 
00550 #define NTFS_ACE_SIZE   16      /* Size in bytes of ACE information proceeding
00551 
00552                                    the SID.  Since we don't current require
00553 
00554                                    the ACE information, we will use this as an
00555 
00556                                    offset to get to the start of the SID */
00557 
00558     typedef struct NTFS_SID_ENTRY NTFS_SID_ENTRY;
00559 
00560     struct NTFS_SID_ENTRY {
00561         NTFS_SID_ENTRY *next;
00562         ntfs_sid *data;         /* ntfs_sid record */
00563         uint32_t sec_id;        /* Security ID */
00564         char *sid_str;          /* SID string representation */
00565     };
00566 
00567 
00568 
00569 /************************************************************************
00570  * SDS attribute
00571  */
00572 
00573     typedef struct {
00574         uint8_t hash_sec_desc[4];       /* Hash of Security Descriptor */
00575         uint8_t sec_id[4];      /* Security ID */
00576         uint8_t file_off[8];    /* Offset of this entry in this file */
00577         uint8_t ent_size[4];    /* Size of this entry */
00578         ntfs_self_relative_security_descriptor self_rel_sec_desc;       /* Self-relative Security Descriptor */
00579     } ntfs_attr_sds;
00580 
00581 
00582 #define NTFS_SDS_BLOCK_OFFSET   262144  /* Data offset within $SDS (1024x256) */
00583 
00584     typedef struct NTFS_SDS_ENTRY NTFS_SDS_ENTRY;
00585 
00586     struct NTFS_SDS_ENTRY {
00587         NTFS_SDS_ENTRY *next;
00588         uint32_t len;           /* Length of data */
00589         uint8_t *data;          /* Raw data */
00590     };
00591 
00592 
00593 
00594 /************************************************************************
00595  * SDH attribute
00596  */
00597 
00598 
00599     typedef struct {
00600         uint8_t data_off[2];    /* Offset to data */
00601         uint8_t size[2];        /* Size of data */
00602         uint8_t pad1[4];        /* Padding */
00603         uint8_t ent_size[2];    /* Size of Index Entry */
00604         uint8_t key_size[2];    /* Size of Index Key */
00605         uint8_t flags[2];       /* Flags */
00606         uint8_t pad2[2];        /* Padding */
00607         uint8_t key_hash_sec_desc[4];   /* Hash of Security Descriptor */
00608         uint8_t key_sec_id[4];  /* Security ID */
00609         uint8_t data_hash_sec_desc[4];  /* Hash of Security Descriptor */
00610         uint8_t data_sec_id[4]; /* Security ID */
00611         uint8_t sec_desc_off[8];        /* Offset to Security Descriptor (in $SDS) */
00612         uint8_t sec_desc_size[4];       /* Size of Security Descriptor (in $SDS) */
00613         uint8_t pad3[4];        /* Padding */
00614     } ntfs_attr_sdh;
00615 
00616     typedef struct NTFS_SDH_ENTRY NTFS_SDH_ENTRY;
00617 
00618     struct NTFS_SDH_ENTRY {
00619         NTFS_SDH_ENTRY *next;
00620         ntfs_attr_sdh *data;    /* ntfs_attr_sdh record */
00621     };
00622 
00623 
00624 
00625 /************************************************************************
00626  * SII attribute
00627  */
00628 
00629     typedef struct {
00630         uint8_t data_off[2];    /* Offset to data */
00631         uint8_t size[2];        /* Size of data */
00632         uint8_t pad1[4];        /* Padding */
00633         uint8_t ent_size[2];    /* Size of Index Entry */
00634         uint8_t key_size[2];    /* Size of Index Key */
00635         uint8_t flags[2];       /* Flags */
00636         uint8_t pad2[2];        /* Padding */
00637         uint8_t key_sec_id[4];  /* Security ID */
00638         uint8_t data_hash_sec_desc[4];  /* Hash of Security Descriptor */
00639         uint8_t data_sec_id[4]; /* Security ID */
00640         uint8_t sec_desc_off[8];        /* Offset to Security Descriptor (in $SDS) */
00641         uint8_t sec_desc_size[4];       /* Size of Security Descriptor (in $SDS) */
00642 
00643     } ntfs_attr_sii;
00644 
00645     typedef struct NTFS_SII_ENTRY NTFS_SII_ENTRY;
00646 
00647     struct NTFS_SII_ENTRY {
00648         NTFS_SII_ENTRY *next;
00649         ntfs_attr_sii *data;    /* ntfs_attr_sii record */
00650     };
00651 #endif
00652 
00653 /************************************************************************
00654 */
00655     typedef struct {
00656         TSK_FS_INFO fs_info;    /* super class */
00657         ntfs_sb *fs;
00658         uint8_t ver;            /* version of NTFS - uses the VINFO flag */
00659         TSK_FS_INODE *mft_inode;        /* contains the data for the mft entry for the mft */
00660         TSK_FS_DATA *mft_data;  /* Data run for MFT entry for MFT */
00661         ntfs_mft *mft;          /* cache for on-disk inode */
00662         INUM_T mnum;            /* number of above cached mft */
00663         uint32_t csize_b;       /* number of bytes in a cluster */
00664         uint16_t ssize_b;       /* number of bytes in a sector */
00665         uint32_t mft_rsize_b;   /* number of bytes per mft record */
00666         uint32_t idx_rsize_b;   /* number of bytes per idx record */
00667         DADDR_T root_mft_addr;  /* address of first mft entry */
00668 
00669         uint8_t loading_the_MFT;        /* set to 1 when initializing the setup */
00670 
00671         TSK_FS_DATA_RUN *bmap;  /* Run of bitmap for clusters (linked list) */
00672         TSK_DATA_BUF *bmap_buf; /* buffer to hold cached copy of bitmap */
00673         DADDR_T bmap_buf_off;   /* offset cluster in cached bitmap */
00674         ntfs_attrdef *attrdef;  // buffer of attrdef file contents
00675         SSIZE_T attrdef_len;    // length of addrdef buffer
00676 
00677 #if TSK_USE_SID
00678         NTFS_SDS_ENTRY *sds;    /* Data run of ntfs_attr_sds */
00679         //NTFS_SDH_ENTRY *sdh;  /* Data run of ntfs_attr_sdh */
00680         //NTFS_SII_ENTRY *sii;  /* Data run of ntfs_attr_sii */
00681         NTFS_SID_ENTRY *sid;    /* Data run of ntfs_sid */
00682 #endif
00683     } NTFS_INFO;
00684 
00685     extern uint8_t
00686         ntfs_data_walk(NTFS_INFO *, INUM_T, TSK_FS_DATA *, int,
00687         TSK_FS_FILE_WALK_CB, void *);
00688     extern uint8_t
00689         ntfs_dent_walk(TSK_FS_INFO *, INUM_T, TSK_FS_DENT_FLAG_ENUM,
00690         TSK_FS_DENT_TYPE_WALK_CB, void *);
00691     extern uint32_t nt2unixtime(uint64_t ntdate);
00692     extern uint8_t ntfs_attrname_lookup(TSK_FS_INFO *, uint16_t, char *,
00693         int);
00694 
00695 #ifdef __cplusplus
00696 }
00697 #endif
00698 #endif

Generated on Wed Nov 28 16:11:15 2007 for The Sleuth Kit (Incomplete) by  doxygen 1.5.1