Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot dump $LogFile #23

Open
mirh opened this issue Jan 11, 2023 · 0 comments
Open

Cannot dump $LogFile #23

mirh opened this issue Jan 11, 2023 · 0 comments
Assignees
@thewhiteninja

Comments

@mirh
Copy link

mirh commented Jan 11, 2023

shell disk=1 volume=3
disk1:volume3:> ls

  Inode | Type | Name                      |         Size | Creation Date       | Attributes
---------------------------------------------------------------------------------------------
      4 |      | $AttrDef                  |         2560 | 2021-02-18 05:45:18 | Hi Sy
      8 |      | $BadClus                  |            0 | 2021-02-18 05:45:18 | Hi Sy
        | ADS  |   $Bad                    | 510905020416 |                     |
      6 |      | $Bitmap                   |     15591584 | 2021-02-18 05:45:18 | Hi Sy
        | ADS  |   $SRAT                   |           68 |                     |
      7 |      | $Boot                     |         8192 | 2021-02-18 05:45:18 | Hi Sy
     11 | DIR  | $Extend                   |              | 2021-02-18 05:45:18 | Hi Sy
      2 |      | $LogFile                  |     67108864 | 2021-02-18 05:45:18 | Hi Sy
      0 |      | $MFT                      |   2073034752 | 2021-02-18 05:45:18 | Hi Sy
      1 |      | $MFTMirr                  |         4096 | 2021-02-18 05:45:18 | Hi Sy
   4502 | DIR  | $Recycle.Bin              |              | 2019-12-07 10:14:52 | Hi Sy
      9 |      | $Secure                   |            0 | 2021-02-18 05:45:18 | Hi Sy
     10 |      | $UpCase                   |       131072 | 2021-02-18 05:45:18 | Hi Sy
        | ADS  |   $Info                   |           32 |                     |
      3 |      | $Volume                   |            0 | 2021-02-18 05:45:18 | Hi Sy
 154204 | DIR  | $WINDOWS.~BT              |              | 2021-11-02 22:52:59 |
  50617 | DIR  | $Windows.~WS              |              | 2022-02-06 19:18:00 | Hi Ni
    156 | DIR  | $WinREAgent               |              | 2023-01-10 22:38:03 | Hi

mft.record disk=1 volume=3

MFT (inode:0) for \\.\PhysicalDrive1 > Volume:3
-----------------------------------------------

Signature         : FILE
Update Offset     : 48
Update Number     : 3
$LogFile LSN      : 305819962804
Sequence Number   : 1
Hardlink Count    : 1
Attribute Offset  : 56
Flags             : In use
Real Size         : 888
Allocated Size    : 1024
Base File Record  : 0000000000000000h
Next Attribute ID : 13
MFT Record Index  : 0
Update Seq Number : 1714
Update Seq Array  : 01150000

Attributes:
-----------

+-------------------------------------------------------------------------------------------------------------+
| Id | Type                       | Non-resident | Length     | Overview                                      |
+-------------------------------------------------------------------------------------------------------------+
| 1  | $STANDARD_INFORMATION      | False        | 72         | File Created Time       : 2021-02-18 05:45:18 |
|    | Raw address: 0000c0000050h |              |            | Last File Write Time    : 2021-02-18 05:45:18 |
|    |                            |              |            | FileRecord Changed Time : 2021-02-18 05:45:18 |
|    |                            |              |            | Last Access Time        : 2021-02-18 05:45:18 |
|    |                            |              |            | Permissions             :                     |
|    |                            |              |            |   read_only     : 0                           |
|    |                            |              |            |   hidden        : 1                           |
|    |                            |              |            |   system        : 1                           |
|    |                            |              |            |   device        : 0                           |
|    |                            |              |            |   normal        : 0                           |
|    |                            |              |            |   temporary     : 0                           |
|    |                            |              |            |   sparse        : 0                           |
|    |                            |              |            |   reparse_point : 0                           |
|    |                            |              |            |   compressed    : 0                           |
|    |                            |              |            |   offline       : 0                           |
|    |                            |              |            |   not_indexed   : 0                           |
|    |                            |              |            |   encrypted     : 0                           |
|    |                            |              |            | Max Number of Versions  : 0                   |
|    |                            |              |            | Version Number          : 0                   |
+-------------------------------------------------------------------------------------------------------------+
| 2  | $FILE_NAME                 | False        | 74         | Parent Dir Record Index : 5                   |
|    | Raw address: 0000c00000b0h |              |            | Parent Dir Sequence Num : 5                   |
|    |                            |              |            | File Created Time       : 2021-02-18 05:45:18 |
|    |                            |              |            | Last File Write Time    : 2021-02-18 05:45:18 |
|    |                            |              |            | FileRecord Changed Time : 2021-02-18 05:45:18 |
|    |                            |              |            | Last Access Time        : 2021-02-18 05:45:18 |
|    |                            |              |            | Allocated Size          : 1417412608          |
|    |                            |              |            | Real Size               : 1417412608          |
|    |                            |              |            | ------                                        |
|    |                            |              |            | NameType                : DOS & WIN32         |
|    |                            |              |            | Name                    : $MFT                |
+-------------------------------------------------------------------------------------------------------------+
| 3  | $DATA                      | True         | 2073034752 | Size: 2073034752 (1.93 GiB)                   |
|    | Raw address: 0000c0000140h |              |            | Dataruns:                                     |
|    |                            |              |            |     Length: 0000c820 Offset: 000c0000         |
|    |                            |              |            |     Length: 000053a3 Offset: 00adb375         |
|    |                            |              |            |     Length: 000035fe Offset: 0055d48a         |
|    |                            |              |            |     Length: 0000323f Offset: 0103745c         |
|    |                            |              |            |     Length: 0000c819 Offset: 01e90c48         |
|    |                            |              |            |     Length: 0000c819 Offset: 06379147         |
|    |                            |              |            |     Length: 000027ce Offset: 05391ba4         |
|    |                            |              |            |     Length: 0000a4d4 Offset: 07122acc         |
|    |                            |              |            |     Length: 000063f4 Offset: 04255ee4         |
|    |                            |              |            |     Length: 00000a8e Offset: 06c65c0c         |
|    |                            |              |            |     Length: 000001ad Offset: 051b2127         |
|    |                            |              |            |     Length: 0000cbf2 Offset: 07166c3c         |
|    |                            |              |            |     Length: 00002d83 Offset: 05db27f9         |
|    |                            |              |            |     Length: 0000406d Offset: 073cd633         |
|    |                            |              |            |     Length: 00000e97 Offset: 041df470         |
|    |                            |              |            |     Length: 00000e89 Offset: 06f2dbb7         |
|    |                            |              |            |     Length: 00000de1 Offset: 03cc3927         |
|    |                            |              |            |     Length: 00000db5 Offset: 00466aaf         |
|    |                            |              |            |     Length: 00000dab Offset: 041a0cd9         |
|    |                            |              |            |     Length: 00000f95 Offset: 07315b99         |
|    |                            |              |            |     Length: 00004aa8 Offset: 01250b40         |
|    |                            |              |            |     Length: 00000ab8 Offset: 0550d6b6         |
|    |                            |              |            |     Length: 00000595 Offset: 012cc194         |
|    |                            |              |            |     Length: 000004b4 Offset: 07209d68         |
|    |                            |              |            |     Length: 000004ad Offset: 02fa5c78         |
|    |                            |              |            |     Length: 00000490 Offset: 01c4dde0         |
|    |                            |              |            |     Length: 00001c84 Offset: 02dac5a1         |
|    |                            |              |            |     Length: 00001d1a Offset: 04d84ea5         |
|    |                            |              |            |     Length: 00001264 Offset: 051c21b8         |
|    |                            |              |            |     Length: 0000003d Offset: 016a5e21         |
|    |                            |              |            |     Length: 0000079c Offset: 016a2164         |
|    |                            |              |            |     Length: 00002468 Offset: 0561ec80         |
|    |                            |              |            |     Length: 0000376a Offset: 04e83dd8         |
|    |                            |              |            |     Length: 00002b63 Offset: 05f1e700         |
|    |                            |              |            |     Length: 0000279c Offset: 019bcf80         |
|    |                            |              |            |     Length: 0000279f Offset: 0477d34c         |
|    |                            |              |            |     Length: 00002fa3 Offset: 0707668c         |
|    |                            |              |            |     Length: 00001551 Offset: 00dcbde8         |
|    |                            |              |            |                                               |
|    |                            |              |            | Virtual size: 0 (0.00 byte)                   |
|    |                            |              |            | Real size   : 2073034752 (1.93 GiB)           |
+-------------------------------------------------------------------------------------------------------------+
| 4  | $BITMAP                    | True         | 254944     | Index Node Used         : 1752184             |
|    | Raw address: 0000c0000290h |              |            |                                               |
+-------------------------------------------------------------------------------------------------------------+

But last but not least

logfile.dump disk=1 volume=3 output=log.log format=raw

LogFile from \\.\PhysicalDrive1 > Volume:3
------------------------------------------

[+] Opening \\?\Volume{3de295f9-1d5e-4f1d-bbce-fb5e97329559}\
[+] Reading $LogFile record
[+] $LogFile size : 64.00 MiBs
[+] Creating log.log
[!] Unable to find corresponding $DATA attribute
[+] Processing data: 0.00 byte[+] Closing volume

[+] Closing volume
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thewhiteninja thewhiteninja

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mirh @thewhiteninja