Alternate Data Streams and crtime Timestamps
After reading through one of the challenges at hecfblog, related articles at 4n6ir.com and Matthew Bromily posts about NTFS attributes, I began to wonder if it would be possible to automate the extraction of object IDs, Alternate Data Streams(ADS) and other extended attributes from NTFS volumes mounted in Linux. The goal being to understand the capabilities in Linux as well as provide a fast method to extract extended NTFS attributes in Linux during a forensic examination. The following information summarizes the steps I followed and includes the first resulting script ads2tln.sh which extracts Alternate Data Streams and associated birth times(crtime).
Step 1: Mount NTFS Volume to make the extended attributes accessible
Using SANS Sift, I mounted a sample E01 image file using ermount.sh from the siftgrab repository to automate the volume mount process and display the parameters loaded in the “mount” command. The Ntfs-3g driver uses FUSE to mount via the “type” (-t ntfs) parameter and extended attributes are exposed using the option ( –o), “streams_interface=windows”. FUSE and ntfs-3g are included in SIFT and most other Linux distributions so it is not likely you’ll ever need to install it yourself. Additionally, the volume was mounted read-only to prevent any changes to the file system.
Limitations of “ls” and “stat” commands
Once the NTFS volume was mounted only basic attributes were accessible using common commands (“stat”, “ls -al”) to enumerate basic file information. Unfortunately, even though there were extended attributes for the file I was trying to enumerate, they were not visible. A possible method for accessing extended file information in Linux is by using a forensic application like the Sleuth Kit or Plaso which uses API calls from Perl and Python. Since I am familiar with both of these applications and was curious about other options, I decided to take another route.
Getting Fattr
It turns out that once an NTFS volume is mounted using the ntfs3-g driver with the windows stream interface and extended attributes options can be examined and changed using two shell commands (getfattr, setfattr). These command work with NTFS volumes mounted on Linux and Mac OS systems. Further information regarding these commands and extended attributes and are documented on the Tuxera website. Since most of my work involves forensics and I have no interest in changing anything, I focused on only on the command to enumerate, getfattr.
I was first introduced to getfattr back when I was writing a gold paper for SANS and wanted to include alternate data streams(ADS) in my output. The process was included in siftgrab and an additional on off (script ads2tln.sh) that can be run against mounted volumes. In this exercise I updated the script to display all ADS files in a given path and their associated birth time(crtime).
Step 2: Getting ADS
The command to list all ADS file on a mounted NTFS volume or path is:
getfattr -Rn ntfs.streams.list .
Where “–Rn” recursively names all streams names, even if there are none. Each file return three separate lines, the file name, the stream and a blank line.
As you can see the output from getfattr leaves a little to be desired, but have no fear. All can be reconciled by using the following one-liner to remove all the unneeded characters and produce a recursive listing of all Alternate Data Streams in current path.
getfattr -Rn ntfs.streams.list . 2>/dev/null |grep -ab1 -h ntfs.streams.list=|grep -a : |
sed ‘s/.*ntfs.streams.list\=”/:/g’ \|while read d; do printf %s “$d”|sed ‘s/.*# file: /\”\n”/g’|sed ‘s/”//g’ done;
In other words you can run the command above from the root of the mounted NTFS volume and produce similar output as shown below which is a list of all ADS files on a volume.
Step 3: Listing Timestamps
As mentioned earlier, stat can be used to display Modified, Access and Changed (MAC) file timestamps, but is not able to provide file creation AKA Birth times. According to the documentation on Tuxera, the following command will extract Crtime (Birth):
getfattr -h -e hex -n system.ntfs_times source-file | \grep ‘=’ | sed -e ‘s/^.*=\(0x…………….\).*$/\1/’`
To achieve a readable output I did the following:
- Because Linux is big endian, I had to change the command parameter from:
“system.ntfs_times” to: “system.ntfs_times_be” - The result returned a hexadecimal in Windows Epoch format.
0x01d021e7c08baf07 - Linux can handle mathematic calculations on the fly so an equation was written to convert from Windows epoch to Unix Epoch.
$((0x01d021e7c08baf07/10000000–11644473600)) - The results could then be converted to a readable format using the Linux .
Option 1: Date –d
date –d @$((0x01d021e7c08baf07/10000000–11644473600))
Sat Dec 27 15:1404 UTC 2014
OR
Option 2: awk (better)
echo $((0x01d021e7c08baf07/10000000–11644473600))| awk ‘{$1=strftime(“%Y-%m-%d %H:%M:%S”,$1)}{print $0}’
2014–12–27 15:14:04
Step 4: Putting it all together
Now that a method for extracting ADS and timestamps has been identified, it is just a matter of writing a script to attach the crtimes to the Alternate Data Strings. Also added was some error checking and an option to output to TLN using a command line switch to produce epoch or human readable timestamps.
In addition to crtime, ntfs-3g provides access to full MACB times as well as Dos Names, NTFS ACL, Reparse Data, File Attributes, EFS, EA and objectIDs. I will write a post later that walks through the extraction of ObjectIDs and full MACB times.