Jump to content











Photo
- - - - -

Extents

file copy in use

  • Please log in to reply
104 replies to this topic

#26 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 23 March 2019 - 11:38 PM

Looking at your previous wishlist :

 

1) checks if it is contiguous (only one extent), and only if this is the case outputs the file:

    Not the case for now - will output details in all cases (i.e contiguous or not)
2) LBA Start (in decimal, sectors)

   Done
3) LBA Length (in decimal, sectors)

    Done (for each extent)
4) Number of (contiguous) clusters used (decimal)

    Done

5) Size of the cluster (in decimal, sectors)

    Done : you have the volume cluster size, sector size and sectors per cluster (this later you call size of the     cluster in sectors)
6) Size of the file (in decimal, bytes) from the filesystem

    Done



#27 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 02:17 PM

Very good :) , I 'll test and report.

 

About the "hidden", I understand how some people (including some clueless peps  from MS) may use that, but it still doesn't make any sense, because they are not at all "hidden" (and whether they are actually "allocated" or not has nothing to do with the MBR or the relative partition entry) while they are definitely "before" (or an offset to the partition start, as you say).

 

As well I stand by having (on a separate line) "File size on disk" (because that is accurate and actually what is shown in Windows Explorer when chosing File->Properties):

 

If you could actually make it so that the download file here:

http://reboot.pro/fi...le/316-extents/

 is the new one (and not the old one) this could help for the testing. :whistling:

 

:duff:

Wonko



#28 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 02:23 PM

 

If you could actually make it so that the download file here:

http://reboot.pro/fi...le/316-extents/

 is the new one (and not the old one) this could help for the testing. :whistling:

 

:duff:

Wonko

 

Normally the reboot.pro download link points to http://erwan.labalec...her/extents.zip

I suspect reboot.pro to "cache" one way or the other.

I always and only update the zip file on my web site so that I dont have to update other forums/web sites download links.

Use http://erwan.labalec...her/extents.zipfor now until I see what's wrong with reboot.pro download/upload section.



#29 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 02:33 PM

Normally the reboot.pro download link points to http://erwan.labalec...her/extents.zip
I suspect reboot.pro to "cache" one way or the other.
I always and only update the zip file on my web site so that I dont have to update other forums/web sites download links.
Use http://erwan.labalec...her/extents.zipfor now until I see what's wrong with reboot.pro download/upload section.

Nahh, the issue is on your site:

Da: http://erwan.labalec...her/extents.zip
A: C:\Downloaded\grub4dos-0.4.6\extents.zip
Dimensione: 589 KB (602.785 byte)
Trasferiti: 298 KB (304.964 byte)

 
The resulting file (which has obviously an exclamation mark  in Opera "Transfers" as it is to all effects a "partial download") is actually a "valid" .zip file, containing:
extents.exe 569886 2014-03-15 16:03
and the
src.zip 17967 2015-12-04 21:17
 
And this is yet another reason why it would have made much more sense to use version number in the archive filenames. :frusty:
 
:duff:
Wonko

#30 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 02:37 PM

Indeed, version files would avoid these issues.

Still I am highly frustrated with these obscure "caching" mechanism either with the browser(s) or with some forums.  :frusty: 

File is fresh new on my ftp and this is the zip file you should get, from march 24th.

Zip no longer contains the source code since I now share it via github (in my signature).

RJFmYEB.png

 

 

EDIT.

 

I have refreshed the download page for extents.

 

 6zBFeCl.png



#31 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 02:48 PM

Ok, now the right file is downloaded :).

BUT:

C:\appoggio\Alcor>extents-win32.exe
extents 1.0 by erwan2212@gmail.com
extents filename
extents source destination

C:\appoggio\Alcor>extents-win32.exe LoadDriver.exe
extents 1.0 by erwan2212@gmail.com
Division by zero
***************************
Bytes Per Sector:0
Sectors per Cluster:4241771
Cluster size :0

no clusters found...

C:\appoggio\Alcor>myfragmenter -i LoadDriver.exe
MyFragmenter v1.2, 2008 J.C. Kessels

Commandline argument '-i' accepted.

Processing: LoadDriver.exe
Fragment list:
Extent 1: Lcn=32014747, Vcn=0, NextVcn=5
5 clusters, 1 fragments.

Finished, 1 files processed.


:dubbio:

:duff:
Wonko

#32 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 02:54 PM

This is what I call the developper syndrom : it always work on the developper computer :)

 

Try again in admin shell (i.e run cmd as admin, etc).

 

I should probably make it so that exe runs as an elevated process.



#33 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 02:56 PM

ah yes : do provide a full path please :)

as I use the 3 first characters to derive the volume letter...

 

extents c:\whatever\LoadDriver.exe

 

updated command line help accordingly.

extents 1.0 by erwan2212@gmail.com
extents path_to_filename
extents path_to_source path_to_destination


#34 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 02:57 PM

This is what I call the developper syndrom : it always work on the developper computer :)

 

Try again in admin shell (i.e run cmd as admin, etc).

 

I should probably make it so that exe runs as an elevated process.

Look, I am running XP (and SP2 while at it), the computer is mine, I own it, and I am the supreme ruler on it.

I am Admin, no UAC in the way.

 

:duff:

Wonko



#35 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 03:00 PM

Look, I am running XP (and SP2 while at it), the computer is mine, I own it, and I am the supreme ruler on it.

I am Admin, no UAC in the way.

 

:duff:

Wonko

 

And I am sure will not take this XP SP2 computer away from you ;)

See previous post : provide the full path to the filename - I know I know, yes i could get the current directory, etc.



#36 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 03:03 PM

Yep. :)

@ECHO OFF
SETLOCAL ENABLEEXTENSIONS

ECHO extents-win32.exe "%~dpnx1"

extents-win32.exe "%~dpnx1"

;)

 

 

 

C:\appoggio\Alcor>runextents.cmd Loaddriver.exe
extents-win32.exe "C:\appoggio\Alcor\LoadDriver.exe"
extents 1.0 by erwan2212@gmail.com
***************************
Bytes Per Sector:512
Sectors per Cluster:8
Cluster size :4096
Filesystem :NTFS
***************************
Filename:C:\appoggio\Alcor\LoadDriver.exe
File Cluster count :5 (20480 bytes)
File size in bytes :20480
File cluster first :32014747
Extents count :1

extents_[0] - VCN : 0 LCN : 32014747 Lba : 256118039 Sectors : 40

 

:duff:

Wonko



#37 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 03:09 PM

Nice, you worked out the current directory with you command line powers :)

And the tool actually "works" at second attemp : not so bad !

 

Latest version is more explicit if the file cannot be found.



#38 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 03:19 PM

Latest version is more explicit if the file cannot be found.

 

I thought that the English were the ones that made understatements.

 

Verbose version:

Since the program cannot do what any other program normally do (i.e. get the full path of a file in the same directory) a full path (that in new Windows versions used by new Windows users will likely include one or more space, necessitating for the filename incuding the full path to be enclosed in double quotes) is required for the target . Now it tells you that.

 

:duff:

Wonko



#39 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 03:25 PM

I thought that the English were the ones that made understatements.

 

Verbose version:

Since the program cannot do what any other program normally do (i.e. get the full path of a file in the same directory) a full path (that in new Windows versions used by new Windows users will likely include one or more space, necessitating for the filename incuding the full path to be enclosed in double quotes) is required for the target . Now it tells you that.

 

:duff:

Wonko

 

Hold your fire :)

The next version will shortly support the lack of full path.



#40 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 03:25 PM

And now (ONLY to show how much a bastard I can be ;)):

 

 

C:\appoggio\Alcor>extents-win32 \\?\Volume{83092730-6bfc-11df-b90c-806d6172696f}
\Appoggio\Alcor\loaddriver.exe
extents 1.0 by erwan2212@gmail.com
Division by zero
***************************
Bytes Per Sector:0
Sectors per Cluster:4241771
Cluster size :0

no clusters found...

C:\appoggio\Alcor>myfragmenter -i \\?\Volume{83092730-6bfc-11df-b90c-806d6172696
f}\Appoggio\Alcor\loaddriver.exe
MyFragmenter v1.2, 2008 J.C. Kessels

Commandline argument '-i' accepted.

Processing: \\?\Volume{83092730-6bfc-11df-b90c-806d6172696f}\Appoggio\Alcor\load
driver.exe
Fragment list:
Extent 1: Lcn=32014747, Vcn=0, NextVcn=5
5 clusters, 1 fragments.

:whistling:

 

:duff:

Wonko



#41 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 03:29 PM

By popular demand, the last version now supports the lack of full path.

i.e extents-win32.exe LoadDriver.exe will work with LoadDriver.exe in the same directory as extents-win32.exe.

 

About spaces in the path, the software does not care or rather is ok with.

IMHO, this is something the user/call must adress when using dos/console programs.



#42 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 03:31 PM

And now (ONLY to show how much a bastard I can be ;)):

:whistling:

...

 

I can only agree :)

 

Let me look into this one particular scenario.

Is that really a must have? Why would one use this way to adress a file?



#43 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 March 2019 - 03:55 PM

Let me look into this one particular scenario.
Is that really a must have? Why would one use this way to adress a file?

Naah, noone knows, let alone actually type, the volume id, it is not a problem at all.
 
Don't worry :).
 
Tested, seemingly fine:

 

 

C:\appoggio\Alcor>extents-win32.exe LoadDriver.exe
extents 1.0 by erwan2212@gmail.com
***************************
Bytes Per Sector:512
Sectors per Cluster:8
Cluster size :4096
Filesystem :NTFS
***************************
Filename:C:\appoggio\Alcor\LoadDriver.exe
File Cluster count :5 (20480 bytes)
File size in bytes :20480
File cluster first :32014747
Extents count :1

extents_[0] - VCN : 0 LCN : 32014747 Lba : 256118039 Sectors : 40

:thumbsup: 
 
:duff:
Wonko



#44 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 24 March 2019 - 04:24 PM

Naah, noone knows, let alone actually type, the volume id, it is not a problem at all.
 
Don't worry :).
 
 

 

 

Was a question of honour :)

Last version support volume paths !

extents-win32.exe \\?\Volume{e26e7b16-122a-11e7-82bf-806e6f6e6963}\bootmgr
extents 1.0 by erwan2212@gmail.com
***************************
Bytes Per Sector:512
Sectors per Cluster:8
Cluster size :4096
Filesystem :NTFS
***************************
Filename:C:\bootmgr
File Cluster count :98 (401408 bytes)
File size in bytes :398356
File cluster first :3995359
Extents count :1

extents_[0] -  VCN : 0 LCN : 3995359 Lba : 32681720 Sectors : 784


#45 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 March 2019 - 01:08 PM

Good :).

Some example batch parsing of the output:

@ECHO OFF
SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
FOR /F "tokens=1,2,3,4,5,6 delims=:-" %%A IN ('extents-win32.exe "%~dpnx1"') DO (
SET ThisToken1=%%A
SET ThisToken1=!ThisToken1: =_!
SET my!ThisToken1!=%%B
IF !ThisToken1!==extents_[0]_ CALL :get_LBA Start_LBA %%E&&CALL :get_LBA Length_LBA %%F
)
SET myFilename="%~dpnx1"

FOR /F "tokens=2,3 delims=()= " %%A IN ('SET myFile_Cluster_count_') DO (
SET /A myFile_Cluster_count_=%%A
SET /A myFile_size_on_disk_=%%B
)

IF %myExtents_count_%==1 (
ECHO File is contiguous
) ELSE (
ECHO File is NOT contiguous
ECHO A suffusion of yellow ...
GOTO :EOF
)
REM SET my
ECHO LBA Blocklist of file: %myFilename%
ECHO %myStart_LBA%+%myLength_LBA%

GOTO :EOF

:get_LBA
SET my%1=%2
GOTO :EOF

Results:

C:\appoggio\Alcor>extents-win32.exe LoadDriver.exe
extents 1.0 by erwan2212@gmail.com
***************************
Bytes Per Sector:512
Sectors per Cluster:8
Cluster size :4096
Filesystem :NTFS
***************************
Filename:C:\appoggio\Alcor\LoadDriver.exe
File Cluster count :5 (20480 bytes)
File size in bytes :20480
File cluster first :32014747
Extents count :1

extents_[0] -  VCN : 0 LCN : 32014747 Lba : 256118039 Sectors : 40

C:\appoggio\Alcor>getextents.cmd LoadDriver.exe
File is contiguous
LBA Blocklist of file: "C:\appoggio\Alcor\LoadDriver.exe"
256118039+40

:duff:

Wonko


  • devdevadev likes this

#46 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 03 April 2019 - 11:43 AM

version 1.1 released based on 2 bugs reported by Steve6375.

 

-LBA was always 0 if run as non admin.

-File >4GB were not handled properly



#47 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 April 2019 - 01:43 PM

version 1.1 released based on 2 bugs reported by Steve6375.
 
-LBA was always 0 if run as non admin.
-File >4GB were not handled properly

Good.  :thumbsup:
 
Time to consider files embedded in the $MFT entry on NTFS? :dubbio:
 
Basically a file up to around 744 (depending on its name) and up to around 3776 bytes, respectively for 1KB and 4KB $MFT entry sizes is "resident in the $MFT":
https://www.forensic...wtopic/t=10403/
 
It is correct that the output says that no clusters are found :), but maybe it should detect the case and say something *like* "$MFT resident data, $MFT entry #x" or similar:
 




C:\appoggio\Alcor>ECHO Pippo>myMFTembed.txt

C:\appoggio\Alcor>dir myMFTembed.txt
 Il volume nell'unità C è Disco locale
 Numero di serie del volume: C08C-CFD9

 Directory di C:\appoggio\Alcor

03/04/2019  15.13                 7 myMFTembed.txt
               1 File              7 byte
               0 Directory  130.989.625.344 byte disponibili

C:\appoggio\Alcor>extents-win32.exe myMFTembed.txt
extents 1.1 by erwan2212@gmail.com
***************************
Bytes Per Sector:512
Sectors per Cluster:8
Cluster size :4096

no clusters found...

C:\appoggio\Alcor>myfragmenter -i myMFTembed.txt
MyFragmenter v1.2, 2008 J.C. Kessels

Commandline argument '-i' accepted.

Processing: myMFTembed.txt
Fragment list:
  0 clusters, 1 fragments.

Finished, 1 files processed.

Example of grub4dos command blocklist (same file, another volume):
blocklist /myMFTembed.txt
(hd0,0)171493[288-295]
and surely enough, on LBA 171493 on that disk volume there is a $MFT entry that contains, starting at offset 288 the 7 bytes "pippo[CR+LF]".

:duff:
Wonko



#48 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 03 April 2019 - 03:57 PM

Good.  :thumbsup:
 
Time to consider files embedded in the $MFT entry on NTFS? :dubbio:
 
Basically a file up to around 744 (depending on its name) and up to around 3776 bytes, respectively for 1KB and 4KB $MFT entry sizes is "resident in the $MFT":
https://www.forensic...wtopic/t=10403/
 
It is correct that the output says that no clusters are found :), but maybe it should detect the case and say something *like* "$MFT resident data, $MFT entry #x" or similar:

 

....

 

 

Yep I see what you mean.

I have always been inconfortable with knowing that my 1kb text file containing some passwords is actually stored in MFT.

Deleting the file AND cleaning the volume (i.e zeroing free clusters) wont protect you from smart forensic people :)

 

Now I remember us having a similar discussion on this forum and back then I had started to develop some tools in my corner.

I can see if i can revive some sourcode and possibly add it to extents-winxx.

 

But, wait for it... is not this some form of featuritis

Or is the forensic field an exception to featuritis ? ;)



#49 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 April 2019 - 06:38 PM

But, wait for it... is not this some form of featuritis
Or is the forensic field an exception to featuritis ? ;)

Not at all, featuritis is another thing.

I dream about having n vertical tools that are excellent in providing exactly what is expected by them.

 

Clonedisk (that if I recall correctly made me start the featuritis conversation with you at the time) should (in my perverted mind of course) clone disks (and of course make images of them and of volumes, etc.), the more possibilities you add to the tool related to copying/backing up/etc. , i.e. strictly related to the "institutional scopes" of the tool are all good and fine, they represent sorts of corollaries to the tool.

 

The moment you add something that goes outside these (of course unwritten) "institutional scopes" of the tool, that is featuritis, which as said is not in itself a bad thing, only it usually tends to complicate, sometimes beyond recovery, the usability of the tool, or its UI or both.

 

To give you an example for clonedisk (where the toggling of "advanced" menu   :thumbsup: greatly mitigates the overload :)):

Can it make a sparse image?

No, still that would be something that is part of what one would want when imaging a disk or volume, it would be both a corollary and a feature.

 

Can it make a number of (BTW useful, but in very specific use cases only) Registry edits?

Yes, and that is (a mild form of) featuritis. [1]

 

Back to here (extents) is the scope of the tool provide the exact location of a file as LBA on the Physicaldrive (no matter on which filesystem and no matter if occupying a cluster or not)?

If yes, then having it work for $MFT embedded files on NTFS is a plus (corollary), as well as having it work on FAT12/16/32 (and exFAT).

And no, you cannot even get away with renaming it to - say - NTFSextents, as it doesn't find the extents for perfectly valid files on a NTFS filesystem. :whistling:

 

:duff:

Wonko

 

[1] now, be honest, if you were not already extremely familiar with the offreg.dll, and had you not the source code of clonedisk handy, would you have actually thought of adding those registry editing capabilities to clonedisk? 

 

Or would you have written a separate tool, to be used only in a PE environment or however offline from a booted "second instance" of the OS, calling it -  let's say - "PERegMod" or "Offline_Reg_Mod"



#50 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 03 April 2019 - 07:14 PM

I digged up some old code around MFT parsing I had and quickly for now polished it.

It is shared here.

The github contains a zip with a binary which can be tested.

It may lead to something (or not...) and eventually be merged with extents.exe.

 

Pippo is a small text file (a few hundreds bytes) stored in the MFT.

I got as far as retrieve the file record address on the logical disk (C0009C00 in my case).

Now what would be the next step ? convert this logical disk offset into LBA? 

>mft-win32.exe g: pippo
This is a NTFS disk.
Bytes Per Sector : 512
Sectors Per Cluster : 8
Bytes Per Cluster : 4096
Size : 274877840896 bytes
Bytes Per File Record : 1024
MFT Location : $C0000000
MFT Data Read : 1024 Bytes
MFT Data FixedUp
MFT Size : 63 Clusters
MFT Size : 258048 bytes
Number of Records : 252
No tree structure requested.
Scanning for files, Please wait...
pippo.txt,g:\,8,03/04/2019 20:43:23,03/04/2019 20:43:23,C0009C00
All File Records Analyzed (252) - Found





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users