This article, shows how you can use $MFT flags to find “not synchronized” OneDrive files – files which actually do not exist on the system. And now you may ask yourself a question: “So in $MFT there are entries for files that actually do not exist on the disk?”. Well… yes, and it’s not something new, there are for example orphaned entries that do not necessary point to the files that are still present on the disk. But today I will speak about OneDrive files, which in $MFT have entries flagged as “offline“.
As you could observe, I said that these files do not exist on the system. And believe me, I spent some time on that part, to prove that indeed it’s a valid theory.
But before we will go further, I want to make sure that everybody knows what I mean when I am saying “no synchronized files”. Therefore, first take a look at a small introduction. If you are not interested in that part, feel free to jump to another “yellow header”.
Synchronized and not synchronized OneDrive files
If you use OneDrive client on your machine, it will automatically try to synchronize files from your system with the cloud storage and vice versa. By default OneDrive client synchronizes files from three folders:
– Pictures
– Desktop
– Documents
It is be possible, that some files are available in the cloud and were not synchronized with your device (yet). In that case, you may still see that files on your system, but if you try to open it you will get an error.
The GUI access to the device, allows you to quickly find out such files. Just start EXPLORER.EXE and jump to OneDrive directory. Files with the green check mark were synchronized properly, but files with a small blue cloud were not – and still only sit in the cloud (screenshot below).
If you tried to open a “not synchronized” file, the system would automatically try to sync and get that file for you. But what will happen if there is no way to establish a connection with OneDrive storage? To simulate that scenario, I just paused OneDrive and then tried to open the “not synchronized” file (the one showed in the screenshot above – ‘Getting started with OneDrive.pdf’). In results I got an error, below you can find a screenshot showing the message:
There was not way to open the file.
Are “not synchronized” OneDrive files present on the system or not?
In the first section, I said that “not synchronized” OneDrive files do not exist on the system. And it is true, indeed the space for them may be allocated, but there is no content. To prove it, I imaged a disk for the testing VM, and did not find any entry for the “not synchronized” OneDrive file. Of course in $MFT there is an entry for that file, but looking at $DATA, you will not find any clusters storing the content (screenshot below).
Synchronized and not synchronized OneDrive files in $MFT
Okay, but what if you only have a forensics collection and there is no way to connect to the system ? In that situation, probably you would take a look at $MFT, and assume that all files listed here, are or at least were (during the forensics collection) present on the system. But… with OneDrive files it may not be true!
I used three tools to parse $MFT:
- mft2.exe (Harlan Carvey)
- MFTDump_V.1.3.0 (Michael G. Spohn, the tool used to be available on http://www.malware-hunters.net long time ago)
- MFTECmd version 1.2.2.0 (Eric Zimmerman)
The order in which I listed them, is not accidental. I always use Harlan’s tool first, because it gives me the output in MACB and TLN format. Then if I need, I use MFTDump_V.1.3.0 to get the MFT entry number, which in turn I take and provide to Eric’s tool to print all data for a specific file (if I want to get ADS or resident data). But for the purpose of that article, I will present my findings in a reversed order, because only Harlan’s tool gave me the output that allowed me to understand how to distinguish synchronized files, from these that still sit in the cloud – so I will leave it at the end.
So first I parsed the $MFT using the Eric Zimmerman tool called MFTECmd and searched for a file “Getting started with OneDrive.pdf” – this is the file which was not synchronized on my VM. I found the entry for that file in $MFT, and at the first glance I could not find anything abnormal, so I compared the entry for that file with other entries for files that were present on the system. Below you can find two screenshots demonstrating that:
Looking at it, I could observe different values in columns uSecZeros, Copied and SiFlags.
First two are quite clear (if you understand the intention of that columns):
– uSecZeros: True if STANDARD_INFO created, modified, or last access has 0s for sub-second precision
– Copied: True if STANDARD_INFO modified < STANDARD_INFO created time
None of them can be used to clearly indicate that a OneDrive file was not properly synchronized (more information about columns you can find here).
But we still have the third column, named SiFlags. Here we should have all flags (I will speak about them later) set for that $MFT entry, but for the file in question we do not have listed them in a nice readable way – just “some number”. I think that you can agree with me, that the most of us would just ignore that difference (I think I would…).
As the number representing flags, did not allow me to understand if the files were synchronized or not, I used another tool to parse $MFT, this time it was MFTDump_V.1.3.0. The tool supports two output formats, the standard one and the long one. I used the standard one only, and it did not list flags at all. It looks like there are separate columns for Hidden and System flag, but nothing else
And then I tested the last tool, namely mft2.exe:
Once I parsed the $MFT, I did a search for a file in question:
Now I immediately got a new flag, that I think I have never seen before (or I did not pay attention to it), namely a flag called OFFLINE. That flag seems to be used to mark files, that do not have any real content on the disk. Going further, you can use that flag to find all “not synchronized” OneDrive files, which in my opinion is SUPER handy.
$STANDARD_INFORMATION flags
If you are not aware of $MFT flags, you have to jump back to your $MFT documentation (books, training materials etc.) and check where that flags can be found. For a quick reference you can use this link. It says, that $STANDARD_INFORMATION attributes may have several different flags. One of them is Offline. But keep in mind, that $FILE_NAME has them as well.
To make sure that Harlan’s tool found all flags properly, I checked $MFT manually (that allowed me to better understand the structure of $MFT). To find that flags, first I had to find the $MFT entry number for that file, which was 28993. But how to use that number to find a correct place in the $MFT? I converted that number to a hexadecimal value, which gave me 7141. Having that, I had to reverse the order of bytes and add 00 00 at the end. In results I got 41 71 00 00. Now by looking for that byte sequence in Hex Editor (CTRL + F), I found an entry for my file. Moving further, and finding bytes for all “fields”, I found that at offset 01C50470 there are four bytes reserved for flags – in that case it was 20 16 40 00.
20 00 00 00 – stands for Archive
00 10 00 00 – stands for Offline
00 02 00 00 – stands for Sparse File
00 04 00 00 – stands for Reparse Point
In total it gives 20 16, but I do not know what remaining two bytes 40 00 mean. If you know it, please explain that in the comments.
So everything looks okay! I checked if there are other files with that flag, and I found other not synchronized OneDrive files.
Summary
As you can see, you may use $MFT to find files on the disk, which do not keep any real content. It may be very useful during your investigations. For example, you may be asked to find out what files were exfiltrated during the time of the breach. Let’s say that you know what folder was accessed by the attacker, or maybe what folder was archived and sent out. Having that information, probably you would use $MFT to see what files were available under that path in question. But what if some files sitting there were not synchronized? If you attached them in the report for the client, you would basically provide him incorrect information! That information in turn could impact client’s reputation or even led to some financial penalties. OneDrive synchronization may be stopped due to SEVERAL different reasons, not only because there is not network connection.
Great information!
Take a look at Costas K.’s “MFT_Browser” (https://github.com/kacos2000/MFT_Browser). It not only reconstructs a navigable directory tree from an $MFT, but allows you to drill into the details (“Node Properties”) of a file record.
His “MFT_Record_Viewer” module also has great information on the $MFT structure, which pointed me toward Microsoft’s documentation on “File Attribute Constants” (https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants), which lists the “04 00” attribute flag (https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants#:~:text=FILE_ATTRIBUTE_RECALL_ON_OPEN,a%20remote%20store.) as:
“FILE_ATTRIBUTE_RECALL_ON_OPEN
262144 (0x40000)
This attribute only appears in directory enumeration classes (FILE_DIRECTORY_INFORMATION, FILE_BOTH_DIR_INFORMATION, etc.). When this attribute is set, it means that the file or directory has no physical representation on the local system; the item is virtual. Opening the item will be more expensive than normal, e.g. it will cause at least some of it to be fetched from a remote store.”