Using the “getfattr” command to extract NTFS MACB, ObjectID, EA and other attribute values
The previous post walked through the process of extracting Alternate Data Streams using ntfs-3g and the getfattr command as well as extracting birth times from mounted NTFS volumes in Linux. After an NTFS volume is mounted on a Linux system, basic file attribute information is available using the stat command:
As you can see above, the birth time for the file “Internet Explorer.lnk” is blank. Likewise, other file metadata exists within the file may be present but is not displayed. This information is referred to as NTFS extended attributes. One method for reading this file metadata in can be accomplished using the command “getfattr”. Alternatively NTFS file metadata can be accessed and changed using the command “setfattr”. Getfattr and setfattr access accesses these files using the ntfs-3g driver which is present on most Linux systems and is invoked using the mount command along with an options “-t ntfs” and “streams_interface=windows” to open access to alternate data streams.
The Tuxera website provides information on how to use getfattr and setfattr to access basic and extended NTFS attributes. Because most of my work deals with forensic images and disks and there is no need to change anything, all examples will be made using “getfattr”.
The following is a list of NTFS extended attributes for which there are parameters listed to extract using getfattr/setfattr:
NTFS 3-g Extended Attributes
Getfattr Syntax
getfattr [-hRLP] -n name [-e en] pathname…
getfattr [-hRLP] -d [-e en] [-m pattern] pathname…
OPTIONS
-n name, — name=name
Dump the value of the named extended attribute extended attribute.
-d, — dump
Dump the values of all extended attributes associated with pathname.
-e en, — encoding=en
Encode values after retrieving them. Valid values of en are “text”, “hex”, and “base64”. Values encoded as text strings are enclosed in double quotes (“), while strings encoded as hexidecimal and base64 are prefixed with 0x and 0s, respectively.
-h, — no-dereference
Do not dereference symlinks. Instead of the file a symlink refers to, the symlink itself is examined. Unless doing a logical (-L) traversal, do not traverse symlinks to directories.
-m pattern, — match=pattern
Only include attributes with names matching the regular expression pattern. The default value for pattern is “^user\\.”, which includes all the attributes in the user namespace. Specify “-” for including all attributes. Refer to attr(5) for a more detailed discussion of namespaces.
— absolute-names
Do not strip leading slash characters (‘/’). The default behaviour is to strip leading slash characters.
— only-values
Dump out the extended attribute value(s) only.
-R, — recursive
List the attributes of all files and directories recursively.
-L, — logical
Logical walk, follow symbolic links to directories. The default behaviour is to follow symbolic link arguments unless — no-dereference is given, and to skip symbolic links encountered in subdirectories. Only effective in combination with -R.
-P, — physical
Physical walk, do not follow symbolic links to directories. This also skips symbolic link arguments. Only effective in combination with -R.
— version
Print the version of getfattr and exit.
— help
Print help explaining the command line options.
Getfattr/Setfattr Attribute Parameters
The following parameters can be used with getfattr to access specific attributes.
Output Analysis (making output readable)
Using getfattr/setfattr to directly interact with NTFS attributes is very powerful yet the results are not always returned in a format that is easily decipherable. For instance, file timestamps are by default returned as a base64 string and alternate date streams come out on multiple lines. Below are some examples using getfattr and methods for reformatting data output.
MACB Timestamps
By default the command “getfattr system.ntfs_times .” returns file timestamps in the current path as a single string of base64. Since Linux is big endian, the parameter “system.ntfs_times_be” should be used. To convert the value, it must be returned in hexadecimal using the “-e hex” parameter and then results can be passed onto awk where the string can be separated into four segments for each timestamp.
getfattr -h -e hex -n system.ntfs_times_be Internet\ Explorer.lnk 2>/dev/null | grep “=”|awk -F’=’ ‘{print $2}’|sed ‘s/.\{18\}/&,0x/;s/.\{37\}/&,/.\{560x/;s\}/&,0x/’;
The hexadecimal values returned can be converted to a readable timestamp in two steps. First, a mathematical calculation on the command line to convert the hexadecimal timestamps from Microsoft epoch to Unix epoch
Then convert Unix epoch time to a readable value using awk.
To simplify this example, instead of a one liner, a small script was be written to recursively extract all MACB timestamps for a given path.
An automation extracting all four MACB timestamps for all files on a volume can be accomplished using the following script which can be downloaded here.
ObjectIDS
An NTFS ObjectID can be defined as: “A volume-unique file identifier. Used by the distributed link tracking service. Not all files have object identifiers.” Object IDs have the following GUID values “Birth Volume Id, a Birth Object Id and a Domain Id”. Getfattr returns objectid values in base64 by default as a single string. Using the “–e hex” parameter the output can be converted a hexadecimal GUID.
Command:
getfattr -h -e hex -n system.ntfs_object_id Users/Ray/AppData/Roaming/Microsoft/Windows/Start\ Menu/Programs/Internet\ Explorer.lnk
Result:
id=0x3190f3e64a78e4119e2a00242cbbf0574026e2cf968d10408629ee8d0e148b4b3190f3e64a78e4119e2a00242cbbf05700000000000000000000000000000000
The results can then be validated by mounting the E01 image using Arsenal Image Mounter in Windows and running Fsutil.exe against the same file to ensure the result order and output is the same.
The results returned from Fsutil matches the 32bit values with the order of:
ObjectID, Birth Volume, Birth Object, Domain ID
Then it is simply a matter removing unneeded string “system.ntfs_object_id=0x “and then piping the results into sed to reformat the data.
getfattr -h -e hex -n system.ntfs_object_id Explorer.lnk|sed ‘s/system.ntfs_object_id=0x//’|sed ‘s/.\{32\}/&,/;s/.\{65\}/&,/;s/.\{98\}/&,/’
To make the output resemble Fsutil.exe, you could modify the command as below:
getfattr -h -e hex -n system.ntfs_object_id Explorer.lnk|grep system.ntfs_object_id=0x|sed ‘s/system.ntfs_object_id=0x//’|sed ‘s/.\{32\}/&,/;s/.\{65\}/&,/;s/.\{98\}/&,/’|awk -F’,’ ‘{print “Object_ID:\t”$1"\nBirth_Volume\t”$2"\nBirth_Object:\t”$3"\nDomainID:\t”$4"\n”}’
A script has been written that can extract all objectIDs and associated MACB times from any given NTFS volume path. You can download the script here.
EA (Extended Attribute)
The EA field is similar to ADS and but was seldom used until later versions of Windows. Some malware has been known to store malicious code in the EA. To list all EA contents for an entire drive can be accomplished with the command:
getfattr -Rh -e hex -n system.ntfs_ea . 2>/dev/null|awk -F’=’ ‘{print $2}’|xxd -r -p|xxd
The parameter “2>/dev/null” is used to suppress the error: “No such attribute”
Because EA data is unstructured; results can be piped to a hexdump using xxd. The EA data below is related to client side file cache of offline files.
Summary
These examples demonstrate how to access NTFS attributes through the ntfs-3g driver using the getfattr command. There are many other possibilities for using getfattr/setfattr and Tuxera tools for accessing NTFS attributes using Tuxera’s ntfs-3g driver. There is additional information on the Tuxera website as well as in Microsoft documentation and other sources and tools to assist.