Difference between revisions of "Metadata Address"
(Added more details about the NTFS formats.) |
Apriestman (Talk | contribs) (→Overview) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Overview = | = Overview = | ||
Metadata Address is a term that is used in [[TSK]] as a generic term for the addresses of file system-specific [[data structures]] that store [[file metadata]]. Each file system has a different name for the structure(s) that store the metadata, including: | Metadata Address is a term that is used in [[TSK]] as a generic term for the addresses of file system-specific [[data structures]] that store [[file metadata]]. Each file system has a different name for the structure(s) that store the metadata, including: | ||
− | * [[FAT]]: Directory entry | + | * [[FAT]]/[[exFAT]]: Directory entry |
* [[NTFS]]: MFT Entry | * [[NTFS]]: MFT Entry | ||
* [[UFS]]: Inode | * [[UFS]]: Inode | ||
* [[ExtX]]: Inode | * [[ExtX]]: Inode | ||
* [[HFS]]: Catalog record | * [[HFS]]: Catalog record | ||
+ | * [[YAFFS2]]: Header chunk | ||
The metadata address can be used in TSK to specify the files to analyze. | The metadata address can be used in TSK to specify the files to analyze. | ||
Line 14: | Line 15: | ||
Some file systems, such as NTFS and HFS, allow a file to have multiple notions of content. NTFS files can have multiple $Data attributes and each is basically an independent file. To allow the user to access each attribute, special metadata addresses are used. These addresses take the form of <tt>ADDR-TYPE</tt> or <tt>ADDR-TYPE-ID</tt>. <tt>ADDR</tt> is the metadata address, <tt>TYPE</tt> is the attribute type, and <tt>ID</tt> is the attribute id. | Some file systems, such as NTFS and HFS, allow a file to have multiple notions of content. NTFS files can have multiple $Data attributes and each is basically an independent file. To allow the user to access each attribute, special metadata addresses are used. These addresses take the form of <tt>ADDR-TYPE</tt> or <tt>ADDR-TYPE-ID</tt>. <tt>ADDR</tt> is the metadata address, <tt>TYPE</tt> is the attribute type, and <tt>ID</tt> is the attribute id. | ||
− | The <tt>TYPE</tt> number specifies the type of data being stored in the attribute (such as file content, directory contents, or file metadata). These numbers are file system-specific. The <tt>ID</tt> number allows you to differentiate between different instances of the same attribute type. Each attribute in a file will have a unique <tt>ID</tt> value. Refer to the [[NTFS Implementation Notes]] for examples. | + | The <tt>TYPE</tt> number specifies the type of data being stored in the attribute (such as file content, directory contents, or file metadata). These numbers are file system-specific. The <tt>ID</tt> number allows you to differentiate between different instances of the same attribute type. Each attribute in a file will have a unique <tt>ID</tt> value. Note that some NTFS files will have attributes that span multiple MFT entries. In that case, NTFS does not guarantee that each attribute ID will be unique because NTFS guarantees only that an ID will be unique to a single MFT entry. TSK overrides those ID values though and assigns new ones so that each attribute is unique. |
+ | |||
+ | As an example, here is the output of the [[fls]] command on an NTFS image: | ||
+ | <pre> | ||
+ | # fls -f ntfs ntfs.dd | ||
+ | <...> | ||
+ | r/r 48-128-1: test-1.txt | ||
+ | r/r 49-128-1: multiple.txt | ||
+ | r/r 49-128-5: multiple.txt:NEW | ||
+ | r/r 50-128-1: test-2.txt | ||
+ | <...> | ||
+ | </pre> | ||
+ | There are three files (with addresses 48, 49, and 50). The type value of 128 in an NTFS file system is for the $Data attribute. The file at address 49 has two $Data attributes (one is the default and the other is named ":NEW"). You can see that each of them has a unique ID value (1 and 5). Refer to the [[NTFS Implementation Notes]] for more examples. | ||
In general, if you want TSK to choose the default data attribute (or if the file system does not support the notion of attributes), give TSK only the metadata address. If you want to specify an attribute and you know there is only one of them, use <tt>ADDR-TYPE</tt>. If there are multiple attributes of the same type, then also specify an <tt>ID</tt>. Typically, the [[istat]] output will show which attributes are defined for a file. | In general, if you want TSK to choose the default data attribute (or if the file system does not support the notion of attributes), give TSK only the metadata address. If you want to specify an attribute and you know there is only one of them, use <tt>ADDR-TYPE</tt>. If there are multiple attributes of the same type, then also specify an <tt>ID</tt>. Typically, the [[istat]] output will show which attributes are defined for a file. |
Latest revision as of 08:10, 14 January 2014
Overview
Metadata Address is a term that is used in TSK as a generic term for the addresses of file system-specific data structures that store file metadata. Each file system has a different name for the structure(s) that store the metadata, including:
- FAT/exFAT: Directory entry
- NTFS: MFT Entry
- UFS: Inode
- ExtX: Inode
- HFS: Catalog record
- YAFFS2: Header chunk
The metadata address can be used in TSK to specify the files to analyze.
Format
In general, each metadata structure is given a single numerical address. Some file systems, such as FAT, do not assign the structures an address, but TSK makes them up (see FAT Implementation Notes).
Some file systems, such as NTFS and HFS, allow a file to have multiple notions of content. NTFS files can have multiple $Data attributes and each is basically an independent file. To allow the user to access each attribute, special metadata addresses are used. These addresses take the form of ADDR-TYPE or ADDR-TYPE-ID. ADDR is the metadata address, TYPE is the attribute type, and ID is the attribute id.
The TYPE number specifies the type of data being stored in the attribute (such as file content, directory contents, or file metadata). These numbers are file system-specific. The ID number allows you to differentiate between different instances of the same attribute type. Each attribute in a file will have a unique ID value. Note that some NTFS files will have attributes that span multiple MFT entries. In that case, NTFS does not guarantee that each attribute ID will be unique because NTFS guarantees only that an ID will be unique to a single MFT entry. TSK overrides those ID values though and assigns new ones so that each attribute is unique.
As an example, here is the output of the fls command on an NTFS image:
# fls -f ntfs ntfs.dd <...> r/r 48-128-1: test-1.txt r/r 49-128-1: multiple.txt r/r 49-128-5: multiple.txt:NEW r/r 50-128-1: test-2.txt <...>
There are three files (with addresses 48, 49, and 50). The type value of 128 in an NTFS file system is for the $Data attribute. The file at address 49 has two $Data attributes (one is the default and the other is named ":NEW"). You can see that each of them has a unique ID value (1 and 5). Refer to the NTFS Implementation Notes for more examples.
In general, if you want TSK to choose the default data attribute (or if the file system does not support the notion of attributes), give TSK only the metadata address. If you want to specify an attribute and you know there is only one of them, use ADDR-TYPE. If there are multiple attributes of the same type, then also specify an ID. Typically, the istat output will show which attributes are defined for a file.