File and directory integrity levels

C:\Users\User>icacls hallo
hallo NT AUTHORITY\SYSTEM:(I)(F)
      BUILTIN\Administrators:(I)(F)
      WINDEV2012EVAL\User:(I)(F)
      Mandatory Label\High Mandatory Level:(NW)

(I)(F) means that the cor­re­spond­ing user or group has (F) Full per­mis­sion on the file and that the per­mis­sions are inher­it­ed from the par­ent = directory.

Note that the Read right ® also enables exe­cu­tion on that file! (There is also the Exe­cute­able flag (X).)

Manda­to­ry labels describe that the file or direc­to­ry can only be accessed (inde­pen­dent­ly of the flags) if the process = user has at least the same lev­el. The lev­els can be seen with whoami /priv. There are the fol­low­ing lev­els: untrust­ed, low, medi­um, high, sys­tem, installer.

Alter­na­tive method: Use accesschk.exe from SysInternalTools:

accesschk.exe /accepteula $dir

Set permissions

Set per­mis­sions to a direc­to­ry or file:

icacls $dir /grant $user:(OI)(CI)(F)

Set read per­mis­sions to a direc­to­ry for anoth­er user / all users:

icacls $dir /grant $user:(OI)(RX)
icacls $dir /grant everyone:(OI)(RX)

Expla­na­tion of the flags is in the stan­dard out­put from icacls:

perm is a permission mask and can be specified in one of two forms:
    a sequence of simple rights:
            N - no access
            F - full access
            M - modify access
            RX - read and execute access
            R - read-only access
            W - write-only access
            D - delete access
    a comma-separated list in parentheses of specific rights:
            DE - delete
            RC - read control
            WDAC - write DAC
            WO - write owner
            S - synchronize
            AS - access system security
            MA - maximum allowed
            GR - generic read
            GW - generic write
            GE - generic execute
            GA - generic all
            RD - read data/list directory
            WD - write data/add file
            AD - append data/add subdirectory
            REA - read extended attributes
            WEA - write extended attributes
            X - execute/traverse
            DC - delete child
            RA - read attributes
            WA - write attributes
    inheritance rights may precede either form and are applied
    only to directories:
            (OI) - object inherit
            (CI) - container inherit
            (IO) - inherit only
            (NP) - don't propagate inherit
            (I) - permission inherited from parent container

ADS Alternate Data Streams

• In NTFS, a stream is a prop­er­ty of a file.
• A file can have mul­ti­ple streams, which can be ref­er­enced by a iden­ti­fi­er.
• A stream is accessed via :$stream­Name append­ed to a file. 
  • Exampe: For the file a.txt, there coud be the streams a.txt:alpha or a.txt:hidden.
  • It can be accessed as with more < a.txt:hidden.

Journaling

NTFS stores its jour­nal in the spe­cial NTFS file $LogFile.

The addi­tion­al jour­nal USN Update Sequence Num­ber is store in the spe­cial file $Extend\$UrnJrnl. With each write access, the num­ber is increased. Use­ful for back­up tools. Also, old file names can be found there. Use­ful for inci­dent analysis.

Extract the journals from an image

TODO