Difference between revisions of "Summerschool Aachen 2004/Forensics Lab"
(→Analysing the ufs.image.gz file system image) |
|||
| Line 7: | Line 7: | ||
I looked at the image ufs.image (available from [http://discovery.informatik.rwth-aachen.de/pub/summerschool/Forensics/DiskImages/ufs.image.gz here]). First I tried to recognise what file system it is. For this I used the header file [http://fxr.watson.org/fxr/source/ufs/ffs/fs.h fs.h] that contains the structures and magic fields of the ufs and ufs2 file systems. | I looked at the image ufs.image (available from [http://discovery.informatik.rwth-aachen.de/pub/summerschool/Forensics/DiskImages/ufs.image.gz here]). First I tried to recognise what file system it is. For this I used the header file [http://fxr.watson.org/fxr/source/ufs/ffs/fs.h fs.h] that contains the structures and magic fields of the ufs and ufs2 file systems. | ||
| + | |||
| + | I first looked for the magic value of ufs2 ("0x19540119"). Just to check I looked for the ufs (1) magic value ("0x011954") which was not found. | ||
| + | |||
| + | George@GD216 ~/hdimage | ||
| + | $ xxd.exe -a -g 4 ufs.image | grep "19015419" | ||
| + | 0044550: 00000000 00000000 00000000 19015419 ..............T. | ||
Revision as of 14:57, 5 October 2004
Notes on Presentations
Notes on Lab Session
Analysing the ufs.image.gz file system image
I looked at the image ufs.image (available from here). First I tried to recognise what file system it is. For this I used the header file fs.h that contains the structures and magic fields of the ufs and ufs2 file systems.
I first looked for the magic value of ufs2 ("0x19540119"). Just to check I looked for the ufs (1) magic value ("0x011954") which was not found.
George@GD216 ~/hdimage $ xxd.exe -a -g 4 ufs.image | grep "19015419" 0044550: 00000000 00000000 00000000 19015419 ..............T.
