MFT is missing, kinda about sift HOT 9 OPEN

I did a quick test on a Fedora 39 system and the MFT file is present without needing to copy it off.

Fedora:
ewfmount 20140812
bdemount 20231106

SIFT:
ewfmount 20140814
bdemount 20221031

mount -o ro,loop,show_sys_files,streams_interface=windows was used on both systems to mount the bitlockered E01.

Not sure if that helps, but it seems like we just need to figure out which package has the issue and get it upgraded or downgraded.

~Salty

from sift.

Hi @salty4n6 , thanks for bringing this up. I'll take a look this weekend and see if I can identify why it's not showing up in one, but is in the other. Have you tried testing this already on a non-bitlockered E01 to see if there was still a difference?

from sift.

Hi @digitalsleuth
I tested a non-encrypted E01 and the MFT file is missing, too.

I'm going to do an update just to make sure that I have all the latest files for SIFT.

~Salty

from sift.

Sounds good. I'm taking a look now and will keep you posted.

from sift.

Hi @salty4n6 , it turns out that this is "expected" behaviour for the ntfs-3g driver in linux. According to their documentation (man mount.ntfs):

show_sys_files
              Show the metafiles in directory listings. Otherwise the default behaviour is to hide the metafiles, which are special files used to store the NTFS structure. Please note that even when this option is specified, "$MFT" may not be visible due  to  a  glibc  bug.
              Furthermore, irrespectively of show_sys_files, all files are accessible by name, for example you can always do "ls -l '$UpCase'".

Now, it could be that your version of Fedora has an updated version of the NTFS-3G driver, or the version of glibc installed doesn't have the same issue as it does on Ubuntu. I'll see if there's a workaround or a fix, but since this was already expected behaviour from the developers, I won't get my hopes up.

Hope this helps!

from sift.

Note that you can still interact with the $MFT without needing to copy it first. Just escape it on the command line. For example:

ls -lh /path/to/mount/\$MFT
md5sum /path/to/mount/\$MFT

from sift.

Absolutely, it just won't be visible in the ls output.

from sift.

Appreciate you both looking into this.

I did some additional testing this morning and Ubuntu 23.10 with GLIBC 2.38 (which is what Fedora 39 also uses) shows $MFT using ls.

Based on what I've read, it is what it is for Ubuntu 22.04.

Thanks again.
~Salty

from sift.

Well, since we're not far off from a new LTS, chances are this issue will also be resolved in 24.04 and we won't have to worry about it when we support it.

Cheers!

from sift.