Skip to content

Fix collection of $Secure:$SII#280

Draft
respondersGY wants to merge 2 commits intofox-it:mainfrom
respondersGY:fix/ntfs_secure_sii
Draft

Fix collection of $Secure:$SII#280
respondersGY wants to merge 2 commits intofox-it:mainfrom
respondersGY:fix/ntfs_secure_sii

Conversation

@respondersGY
Copy link
Contributor

@respondersGY respondersGY commented Jan 8, 2026

No description provided.

@respondersGY
Copy link
Contributor Author

respondersGY commented Jan 9, 2026
edited
Loading

@Miauwkeru what is the correct way of doing this?

This is the output of a tar archive.

# The path of $Secure:$SII is incorrect
# -rw-r--r--  0 root   root   262144  1 Jan  1970 c:/$Secure:$SII
# -rw-r--r--  0 root   root 373293056 27 Aug 12:01 fs/C:/$MFT
# -rw-r--r--  0 root   root      8192 27 Aug 12:01 fs/C:/$Boot
# -rw-r--r--  0 root   root   2460372 27 Aug 12:01 fs/C:/$Secure:$SDS
# -rw-r--r--  0 root   root  67108864 27 Aug 12:01 fs/C:/$LogFile
# -rw-r--r--  0 root   root  41192056 27 Aug 12:03 fs/C:/$Extend/$Usnjrnl:$J
# -rw-r--r--  0 root   root        32 27 Aug 12:03 fs/C:/$Extend/$Usnjrnl:$Max
# -rw-r--r--  0 root   root   1048576 27 Aug 12:01 fs/C:/$Extend/$RmMetadata/$TxfLog/$Tops:$T
# -rw-r--r--  0 root   root      4096  1 Jan  1970 /$fs$/fs0/$Secure:$SII
# -rw-r--r--  0 root   root    262144 23 Dec 06:11 fs/$fs$/fs0/$MFT
# -rw-r--r--  0 root   root      8192 23 Dec 06:11 fs/$fs$/fs0/$Boot
# -rw-r--r--  0 root   root    263812 23 Dec 06:11 fs/$fs$/fs0/$Secure:$SDS
# -rw-r--r--  0 root   root   4620288 23 Dec 06:11 fs/$fs$/fs0/$LogFile
# -rw-r--r--  0 root   root   1048576 23 Dec 06:11 fs/$fs$/fs0/$Extend/$RmMetadata/$TxfLog/$Tops:$T

Miauwkeru
Miauwkeru reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

@Miauwkeru Miauwkeru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One additional question, is $Secure:$SII inside the $MFT file itself and not on disk? Because if it is on disk, the method of getting $Secure:$SII will fail for those fs where mountpoint is None. E.g. unmounted ntfs filesystems

acquire/acquire.py

sii_fh = fs.ntfs.mft.get("$Secure").index("$SII")._index_stream

collector.output.write(fsutil.join(main_mountpoint, "$Secure:$SII"), sii_fh)
Copy link
Contributor

@Miauwkeru Miauwkeru Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be better to use collector.write_bytes assuming the stream isn't that large. Otherwise, maybe add a collector.write that writes the file header to it. E.g. something like this:

class Collector:
    ...
    def write(self, destination_path: str, fh: BinaryIO) -> None:
        self.output.write(destination_path, fh)
        self.report.add_file_collected(self.bound_module_name, destination_path)

Then we can at least keep track that the file was collected. Besides that, the destination path would need to be joined with collector.base to be placed in /fs/ properly.

acquire/acquire.py
"$LogFile",
]

sii_fh = fs.ntfs.mft.get("$Secure").index("$SII")._index_stream
Copy link
Contributor

@Miauwkeru Miauwkeru Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of doing it like this, wouldn't the following work too?

sii_fh = fs.ntfs.mft.get("$Secure").open("$SII", attr_type=...)

Requires less knowledge about the internals of the internal ntfs structure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Miauwkeru Miauwkeru Miauwkeru left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@respondersGY @Miauwkeru