// /*************************************************************************** // Aaru Data Preservation Suite // ---------------------------------------------------------------------------- // // Filename : NTFS.cs // Author(s) : Natalia Portillo // // Component : Microsoft NT File System plugin. // // --[ Description ] ---------------------------------------------------------- // // Identifies the Microsoft NT File System and shows information. // // --[ License ] -------------------------------------------------------------- // // This library is free software; you can redistribute it and/or modify // it under the terms of the GNU Lesser General Public License as // published by the Free Software Foundation; either version 2.1 of the // License, or (at your option) any later version. // // This library is distributed in the hope that it will be useful, but // WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU // Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public // License along with this library; if not, see . // // ---------------------------------------------------------------------------- // Copyright © 2011-2021 Natalia Portillo // ****************************************************************************/ using System; using System.Runtime.InteropServices; using System.Text; using Aaru.Checksums; using Aaru.CommonTypes; using Aaru.CommonTypes.Enums; using Aaru.CommonTypes.Interfaces; using Aaru.Helpers; using Schemas; using Marshal = Aaru.Helpers.Marshal; namespace Aaru.Filesystems { // Information from Inside Windows NT /// ///

Implements detection of the New Technology File System (NTFS)

public sealed class NTFS : IFilesystem { /// public FileSystemType XmlFsType { get; private set; } /// public Encoding Encoding { get; private set; } /// public string Name => "New Technology File System (NTFS)"; /// public Guid Id => new("33513B2C-1e6d-4d21-a660-0bbc789c3871"); /// public string Author => "Natalia Portillo"; /// public bool Identify(IMediaImage imagePlugin, Partition partition) { if(2 + partition.Start >= partition.End) return false; byte[] eigthBytes = new byte[8]; ErrorNumber errno = imagePlugin.ReadSector(0 + partition.Start, out byte[] ntfsBpb); if(errno != ErrorNumber.NoError) return false; Array.Copy(ntfsBpb, 0x003, eigthBytes, 0, 8); string oemName = StringHandlers.CToString(eigthBytes); if(oemName != "NTFS ") return false; byte fatsNo = ntfsBpb[0x010]; ushort spFat = BitConverter.ToUInt16(ntfsBpb, 0x016); ushort signature = BitConverter.ToUInt16(ntfsBpb, 0x1FE); if(fatsNo != 0) return false; if(spFat != 0) return false; return signature == 0xAA55; } /// public void GetInformation(IMediaImage imagePlugin, Partition partition, out string information, Encoding encoding) { Encoding = Encoding.Unicode; information = ""; var sb = new StringBuilder(); ErrorNumber errno = imagePlugin.ReadSector(0 + partition.Start, out byte[] ntfsBpb); if(errno != ErrorNumber.NoError) return; BiosParameterBlock ntfsBb = Marshal.ByteArrayToStructureLittleEndian(ntfsBpb); sb.AppendFormat("{0} bytes per sector", ntfsBb.bps).AppendLine(); sb.AppendFormat("{0} sectors per cluster ({1} bytes)", ntfsBb.spc, ntfsBb.spc * ntfsBb.bps).AppendLine(); // sb.AppendFormat("{0} reserved sectors", ntfs_bb.rsectors).AppendLine(); // sb.AppendFormat("{0} FATs", ntfs_bb.fats_no).AppendLine(); // sb.AppendFormat("{0} entries in the root folder", ntfs_bb.root_ent).AppendLine(); // sb.AppendFormat("{0} sectors on volume (small)", ntfs_bb.sml_sectors).AppendLine(); sb.AppendFormat("Media descriptor: 0x{0:X2}", ntfsBb.media).AppendLine(); // sb.AppendFormat("{0} sectors per FAT", ntfs_bb.spfat).AppendLine(); sb.AppendFormat("{0} sectors per track", ntfsBb.sptrk).AppendLine(); sb.AppendFormat("{0} heads", ntfsBb.heads).AppendLine(); sb.AppendFormat("{0} hidden sectors before filesystem", ntfsBb.hsectors).AppendLine(); // sb.AppendFormat("{0} sectors on volume (big)", ntfs_bb.big_sectors).AppendLine(); sb.AppendFormat("BIOS drive number: 0x{0:X2}", ntfsBb.drive_no).AppendLine(); // sb.AppendFormat("NT flags: 0x{0:X2}", ntfs_bb.nt_flags).AppendLine(); // sb.AppendFormat("Signature 1: 0x{0:X2}", ntfs_bb.signature1).AppendLine(); sb.AppendFormat("{0} sectors on volume ({1} bytes)", ntfsBb.sectors, ntfsBb.sectors * ntfsBb.bps). AppendLine(); sb.AppendFormat("Cluster where $MFT starts: {0}", ntfsBb.mft_lsn).AppendLine(); sb.AppendFormat("Cluster where $MFTMirr starts: {0}", ntfsBb.mftmirror_lsn).AppendLine(); if(ntfsBb.mft_rc_clusters > 0) sb.AppendFormat("{0} clusters per MFT record ({1} bytes)", ntfsBb.mft_rc_clusters, ntfsBb.mft_rc_clusters * ntfsBb.bps * ntfsBb.spc).AppendLine(); else sb.AppendFormat("{0} bytes per MFT record", 1 << -ntfsBb.mft_rc_clusters).AppendLine(); if(ntfsBb.index_blk_cts > 0) sb.AppendFormat("{0} clusters per Index block ({1} bytes)", ntfsBb.index_blk_cts, ntfsBb.index_blk_cts * ntfsBb.bps * ntfsBb.spc).AppendLine(); else sb.AppendFormat("{0} bytes per Index block", 1 << -ntfsBb.index_blk_cts).AppendLine(); sb.AppendFormat("Volume serial number: {0:X16}", ntfsBb.serial_no).AppendLine(); // sb.AppendFormat("Signature 2: 0x{0:X4}", ntfs_bb.signature2).AppendLine(); XmlFsType = new FileSystemType(); if(ntfsBb.jump[0] == 0xEB && ntfsBb.jump[1] > 0x4E && ntfsBb.jump[1] < 0x80 && ntfsBb.signature2 == 0xAA55) { XmlFsType.Bootable = true; string bootChk = Sha1Context.Data(ntfsBb.boot_code, out _); sb.AppendLine("Volume is bootable"); sb.AppendFormat("Boot code's SHA1: {0}", bootChk).AppendLine(); } XmlFsType.ClusterSize = (uint)(ntfsBb.spc * ntfsBb.bps); XmlFsType.Clusters = (ulong)(ntfsBb.sectors / ntfsBb.spc); XmlFsType.VolumeSerial = $"{ntfsBb.serial_no:X16}"; XmlFsType.Type = "NTFS"; information = sb.ToString(); } ///

NTFS $BOOT

[StructLayout(LayoutKind.Sequential, Pack = 1)] readonly struct BiosParameterBlock { // Start of BIOS Parameter Block ///

0x000, Jump to boot code

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 3)] public readonly byte[] jump; ///

0x003, OEM Name, 8 bytes, space-padded, must be "NTFS "

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] public readonly byte[] oem_name; ///

0x00B, Bytes per sector

public readonly ushort bps; ///

0x00D, Sectors per cluster

public readonly byte spc; ///

0x00E, Reserved sectors, seems 0

public readonly ushort rsectors; ///

0x010, Number of FATs... obviously, 0

public readonly byte fats_no; ///

0x011, Number of entries on root directory... 0

public readonly ushort root_ent; ///

0x013, Sectors in volume... 0

public readonly ushort sml_sectors; ///

0x015, Media descriptor

public readonly byte media; ///

0x016, Sectors per FAT... 0

public readonly ushort spfat; ///

0x018, Sectors per track, required to boot

public readonly ushort sptrk; ///

0x01A, Heads... required to boot

public readonly ushort heads; ///

0x01C, Hidden sectors before BPB

public readonly uint hsectors; ///

0x020, Sectors in volume if > 65535... 0

public readonly uint big_sectors; ///

0x024, Drive number

public readonly byte drive_no; ///

0x025, 0

public readonly byte nt_flags; ///

0x026, EPB signature, 0x80

public readonly byte signature1; ///

0x027, Alignment

public readonly byte dummy; // End of BIOS Parameter Block // Start of NTFS real superblock ///

0x028, Sectors on volume

public readonly long sectors; ///

0x030, LSN of $MFT

public readonly long mft_lsn; ///

0x038, LSN of $MFTMirror

public readonly long mftmirror_lsn; ///

0x040, Clusters per MFT record

public readonly sbyte mft_rc_clusters; ///

0x041, Alignment

public readonly byte dummy2; ///

0x042, Alignment

public readonly ushort dummy3; ///

0x044, Clusters per index block

public readonly sbyte index_blk_cts; ///

0x045, Alignment

public readonly byte dummy4; ///

0x046, Alignment

public readonly ushort dummy5; ///

0x048, Volume serial number

public readonly ulong serial_no; ///

Boot code.

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 430)] public readonly byte[] boot_code; ///

0x1FE, 0xAA55

public readonly ushort signature2; } } }