Missing file system events using the MFT parser

108 views
Skip to first unread message

goorg...@protonmail.com

unread,
Oct 23, 2018, 7:34:57 AM10/23/18
to log2timeline-discuss

Hello list,


I have an issue with the MFT parsing, but I cannot really put the finger on it.


I use the following log2timeline setup:


Windows Build

Product version : 20180818

Command line arguments :

D:\Tools\plaso-20180818-Win32\log2timeline.exe --no_dependencies_check --workers 7 --parsers win7_slow --status_view linear --hasher_file_size_limit 70000000 --logfile log.txt db.plaso h:\


H: is the NTFS image mounted with FTK Imager

Enabled parser and plugins : ../.. mft, usnjrnl, ../..

No filters


The result is then exported (psort) to -o elastic and -o json_line, both with the same result.


The issue I have is that some NTFS file system events are not extracted by log2timeline. Some files that are in the file system are not at all present in the output (neither elastic, nor grepping the JSON).


Using the stand alone $MFT parser: https://github.com/dkovar/analyzeMFT, the file events are well extracted and I can find the info I am looking for.


I tried my best to find information and documentation on what is or I did possibly wrong, but I’m missing something. Might there be a limitation in the MFT parser in log2timeline?


Thank you (for work and tools)!


Best regards!

G




Dave

unread,
Oct 24, 2018, 9:20:29 AM10/24/18
to log2timeline-discuss
I'm new to log2timeline, but I'll take a guess at your issue.

You can give log2timeline a forensic image (e01) to avoid these types of issues.    log2timeline plaso.dmp hard-drive.e01

log2timeline parses files.  When using FTK Imager to mount the E01, with the Imager default mounting options, you end up with your H drive mount point as it would be seen in Windows.  If you look at your H drive in Windows Explorer, you will see that $MFT is not a visible file, which is why log2timeline is not parsing it.

If you need to mount the image with FTK Imager, you can use "Mount Method - File System/read only" and give log2timeline the "H:\[root]" folder.  You can verify with Windows Explorer that you can now see $MFT within the H:\[root] folder.

Giving log2timeline an E01 or DD image is the better workflow.  If your image has multiple partitions, log2timeline will stop and ask you which partition to process.

goorg...@protonmail.com

unread,
Oct 24, 2018, 9:30:59 AM10/24/18
to log2timeline-discuss

Hello Dave,

Thank you for the quick answer.

I'll give the "Mount Method - File System/read only" option a try and post the result - positive or negative.

Parsing the image file directly would of course be the best solution, but that ends up with the following issue and I did not found a good workaround: https://github.com/log2timeline/plaso/issues/669. (I tried to switch to a Linux VM as workaround, but that's a different and long story to tell).

Thanks!

Joachim Metz

unread,
Oct 24, 2018, 1:45:22 PM10/24/18
to goorg...@protonmail.com, log2timeli...@googlegroups.com
> The issue I have is that some NTFS file system events are not extracted by log2timeline. Some files that are in the file system are not at all present in the output (neither elastic, nor grepping the JSON).

Can you provide more detail which event are not extracted? are these
recovered MFT entries, recovered $I30 directory index records, etc
> --
> You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
> To post to this group, send email to log2timeli...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

goorg...@protonmail.com

unread,
Oct 25, 2018, 3:40:28 AM10/25/18
to log2timeline-discuss

Hello Dave, Hello Joachim,

Dave's solution was indeed the correct one. $MFT was now parsed.

I haven't had the chance to look at the result as everything finished with a MemoryError in File "sqlite_file.py", _WriteSerializedAttributeContainerList when the database hit 4G, so I'll re-do the exercise with the 64 bit version :)

Thank you!
G



On Wednesday, October 24, 2018 at 7:45:22 PM UTC+2, Joachim Metz wrote:
> The issue I have is that some NTFS file system events are not extracted by log2timeline. Some files that are in the file system are not at all present in the output (neither elastic, nor grepping the JSON).

Can you provide more detail which event are not extracted? are these
recovered MFT entries, recovered $I30 directory index records, etc
Reply all
Reply to author
Forward
0 new messages