Changes for handling NTFS mode_as_string value log2timeline#19

dfimagetools/file_entry_lister.py

@@ -44,6 +44,9 @@ class FileEntryLister(volume_scanner.VolumeScanner):
       0xa000: 'l',
       0xc000: 's'}
 
+  _FILE_ATTRIBUTE_READONLY = 1
+  _FILE_ATTRIBUTE_SYSTEM = 4
+
   _TIMESTAMP_FORMAT_STRINGS = {
       dfdatetime_definitions.PRECISION_1_NANOSECOND: '{0:d}.{1:09d}',
       dfdatetime_definitions.PRECISION_100_NANOSECONDS: '{0:d}.{1:07d}',
@@ -170,6 +173,17 @@ def GetBodyfileEntries(self, file_entry, path_segments):
     Yields:
       str: bodyfile entry.
     """
+    file_attribute_flags = None
+    parent_file_reference = None
+    if file_entry.type_indicator == dfvfs_definitions.TYPE_INDICATOR_NTFS:
+      mft_attribute_index = getattr(file_entry.path_spec, 'mft_attribute', None)
+      if mft_attribute_index is not None:
+        fsntfs_file_entry = file_entry.GetNTFSFileEntry()
+        file_attribute_flags = fsntfs_file_entry.file_attribute_flags
+        parent_file_reference = (
+            fsntfs_file_entry.get_parent_file_reference_by_attribute_index(
+                mft_attribute_index))
+
     stat_attribute = file_entry.GetStatAttribute()
 
     if stat_attribute.inode_number is None:
@@ -181,8 +195,19 @@ def GetBodyfileEntries(self, file_entry, path_segments):
     else:
       inode_string = '{0:d}'.format(stat_attribute.inode_number)
 
-    mode = getattr(stat_attribute, 'mode', None) or 0
-    mode_string = self._GetBodyfileModeString(mode)
+    if file_entry.type_indicator != dfvfs_definitions.TYPE_INDICATOR_NTFS:
+      mode = getattr(stat_attribute, 'mode', None) or 0
+      mode_string = self._GetBodyfileModeString(mode)
+
+    elif file_attribute_flags is None:
+      mode_string = '---------'
+
+    elif (file_attribute_flags & self._FILE_ATTRIBUTE_READONLY or
+          file_attribute_flags & self._FILE_ATTRIBUTE_SYSTEM):
+      mode_string = 'r-xr-xr-x'
+
+    else:
+      mode_string = 'rwxrwxrwx'
 
     owner_identifier = ''
     if stat_attribute.owner_identifier is not None:
@@ -230,15 +255,6 @@ def GetBodyfileEntries(self, file_entry, path_segments):
             owner_identifier, group_identifier, size, access_time,
             modification_time, change_time, creation_time])
 
-    parent_file_reference = None
-    if file_entry.type_indicator == dfvfs_definitions.TYPE_INDICATOR_NTFS:
-      mft_attribute = getattr(file_entry.path_spec, 'mft_attribute', None)
-      if mft_attribute:
-        fsntfs_file_entry = file_entry.GetNTFSFileEntry()
-        parent_file_reference = (
-            fsntfs_file_entry.get_parent_file_reference_by_attribute_index(
-                mft_attribute))
-
     for attribute in file_entry.attributes:
       if isinstance(attribute, dfvfs_ntfs_attribute.FileNameNTFSAttribute):
         if (attribute.name == file_entry.name and

docs/sources/Bodyfile-format.md

@@ -93,7 +93,7 @@ used by the SleuthKit tools.
 The mode_as_string value contains a POSIX file mode represented as a string, for
 example 'drwxr-xr-x'.
 
-Where the first character represents the file entry type:
+The first character represents the file entry type:
 
 * '-' to indicate a "regular" file (S_IFREG) or unknown type
 * 'b' to indicate a block device (S_IFBLK)
@@ -111,7 +111,20 @@ group and other.
 
 The SleuthKit specific `[-dlr]/` prefix is not used by the dfImageTools project.
 
-For NTFS dfImageTools currently sets the mode_as_string value to '----------'.
+### NTFS
+
+For NTFS dfImageTools uses the following approximation to generate
+a mode_as_string value.
+
+The first character represents the file entry type:
+
+* '-' to indicate a "regular" file or unknown type
+* 'd' to indicate a directory, if the file entry has an \$I30 index and is not a symbolic link
+* 'l' to indicate a symbolic link, if the file entry has a \$REPARSE_POINT attribute with tag 0xa000000c
+
+The remaining characters are based on the file attribute flags and will be
+'r-xr-xr-x' if FILE_ATTRIBUTE_READONLY or FILE_ATTRIBUTE_SYSTEM is set or
+'rwxrwxrwx' otherwise.
 
 ## Time values