My Road to Digital Forensics Excellence

Using Encase Filters to parse out Extended File Attributes

Posted by Paul Bobby on November 4, 2008

Encase essentially parses out the MFT to produce the file listing output, along with all of the details that are included. This is a phenomenal amount of information, and I’ve always been impressed with the speed of this parsing algorithm. Even more impressive is the speed of enumeration of a remote host when employing Enterprise Encase and the servlet.

Conditions (and to a lesser extent Filters) are the typical method of slicing-and-dicing the this file listing to produce custom displays for analysis.




The most common use of these conditions and filters is to parse out the main file listing, however, for each file, Encase has also generated four sub-tabs of information.




Today, I’m interested in the Permissions sub-tab. For this example, I’ve  selected the ntuser.dat file from my Documents and Settings profile directory:






Encase retrieves this information from the MFT and streams of the $Secure NTFS file (complicated process which I will write an article about at some other time). This view of the permissions for a file should be somewhat familiar to you, even if it doesn’t look identical to the File Security output from Windows Explorer. Every file has an owner and every owner has a SID. And that’s it, the rest of the stuff is just default permissions created by the install process or new permissions created as part of general user interaction.

As part of data recovery investigations, I’m often requested to retrieve a "users’ data". Well what exactly is that? If you ask the employee, you get a "well I just need my stuff so that I can work" type response. Helpful? Not at all… Is there a scientific approach? Well, how about all files that are owned by the employee? that is to say, the employee is the creator of the file?

One of my favorite filters in Encase is called "Search File Permissions – Unix or Windows". Click the filter, wait a few minutes (it is enumerating your entire evidence set), and you get the following window:


I’m hoping by now that you’re already saying to yourself "files owned by the SID of the employee’s account isn’t sufficient". What about files copied from network shares? Well, when you copy a file from a network share, who is the owner? I’ll let you figure that out, but as you can see from the above screenshot, the ability to search on a variety of permissions is fully capable.

Sometimes you want to do quick filters that take advantage of these extended file attributes. Before you view this tutorial of making your own custom "Filter by SID and Owner" condition, try it out. You’ll find quickly that there has to be some sort of trick. Let me show you how.

Create a new condition, click the Filter tab in the new condition window and double-click PermissionRoot:


What this does is to bring up a new Filter window, but this time, when you ‘add’ components to the filter, they contain the attributes and context associated with the values displayed in the Permissions window. This is the trick…

Add ID, equal to, Prompt for Value.

Add Property, equal to, owner

Change the logic to AND, and give the filter a name.

Back in the Conditions window, add a new condition, but scroll down and you should find your newly created filter at the bottom of the list. Add that filter, select "has a value", give your condition a name and you’re good to go.

image image

When you run it, simply paste in the SID you’re interested in filtering, and let the condition run for a few moments. The neat feature of this condition is that it applies to all evidence in your case. Therefore after the filter runs, you can select/deselect files/folders at will and the filter will be applied.

This filter runs quicker than the more comprehensive Permissions filter previously mentioned, but is far more specific. Custom permissions can be added to the filter as needed.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: