MFT is missing, kinda

[salty4n6]

I ran into this old issue today. #9

The MFT isn't "visible" but as stated in the other thread, you can copy it out.

I'm running SIFT installed via cast on Ubuntu 22.04 in a VM.

I was attempting to run mftecmd, but discovered this issue.

Any idea what is going on?

~Salty

[salty4n6]

I did a quick test on a Fedora 39 system and the MFT file is present without needing to copy it off.

Fedora:
ewfmount 20140812
bdemount 20231106

SIFT:
ewfmount 20140814
bdemount 20221031

mount -o ro,loop,show_sys_files,streams_interface=windows was used on both systems to mount the bitlockered E01.

Not sure if that helps, but it seems like we just need to figure out which package has the issue and get it upgraded or downgraded.

~Salty

[digitalsleuth]

Hi @salty4n6 , thanks for bringing this up. I'll take a look this weekend and see if I can identify why it's not showing up in one, but is in the other. Have you tried testing this already on a non-bitlockered E01 to see if there was still a difference?

[salty4n6]

Hi @digitalsleuth
I tested a non-encrypted E01 and the MFT file is missing, too.

I'm going to do an update just to make sure that I have all the latest files for SIFT.

~Salty

[digitalsleuth]

Sounds good. I'm taking a look now and will keep you posted.

[digitalsleuth]

Hi @salty4n6 , it turns out that this is "expected" behaviour for the ntfs-3g driver in linux. According to their documentation (man mount.ntfs):

show_sys_files
              Show the metafiles in directory listings. Otherwise the default behaviour is to hide the metafiles, which are special files used to store the NTFS structure. Please note that even when this option is specified, "$MFT" may not be visible due  to  a  glibc  bug.
              Furthermore, irrespectively of show_sys_files, all files are accessible by name, for example you can always do "ls -l '$UpCase'".

Now, it could be that your version of Fedora has an updated version of the NTFS-3G driver, or the version of glibc installed doesn't have the same issue as it does on Ubuntu. I'll see if there's a workaround or a fix, but since this was already expected behaviour from the developers, I won't get my hopes up.

Hope this helps!

[mpilking]

Note that you can still interact with the $MFT without needing to copy it first. Just escape it on the command line. For example:

ls -lh /path/to/mount/\$MFT
md5sum /path/to/mount/\$MFT

[digitalsleuth]

Absolutely, it just won't be visible in the ls output.

[salty4n6]

Appreciate you both looking into this.

I did some additional testing this morning and Ubuntu 23.10 with GLIBC 2.38 (which is what Fedora 39 also uses) shows $MFT using ls.

Based on what I've read, it is what it is for Ubuntu 22.04.

Thanks again.
~Salty

[digitalsleuth]

Well, since we're not far off from a new LTS, chances are this issue will also be resolved in 24.04 and we won't have to worry about it when we support it.

Cheers!