Difference between revisions of "Summerschool Aachen 2004/Forensics Lab"
Mario Manno (talk | contribs) |
|||
| Line 39: | Line 39: | ||
0810000: 00000000 55020900 e8d96241 02000000 ....U.....bA.... | 0810000: 00000000 55020900 e8d96241 02000000 ....U.....bA.... | ||
0c14000: 00000000 55020900 e8d96241 03000000 ....U.....bA.... | 0c14000: 00000000 55020900 e8d96241 03000000 ....U.....bA.... | ||
| + | |||
| + | |||
| + | === reiserfs read-only mount === | ||
| + | mount seems to change reiserfs only if it operates on a device | ||
| + | if you access the file directly the image won't change | ||
| + | if you don't use -o ro the image will certainly change | ||
| + | |||
| + | # no change | ||
| + | mount -o loop,ro -t reiserfs testreiser test | ||
| + | |||
| + | # change | ||
| + | losetup /dev/loop0 testreiser | ||
| + | mount -o ro -t reiserfs /dev/loop0 test | ||
| + | |||
| + | # certain change | ||
| + | mount -o loop -t reiserfs testreiser test | ||
| + | |||
| + | |||
| + | |||
| + | [[Category::Summerschools]] | ||
Revision as of 15:20, 5 October 2004
Contents
Notes on Presentations
Notes on Lab Session
Analysing the ufs.image.gz file system image
I looked at the image ufs.image (available from here). First I tried to recognise what file system it is. For this I used the header file fs.h that contains the structures and magic fields of the ufs and ufs2 file systems.
I first looked for the magic value of ufs2 ("0x19540119"). Just to check I looked for the ufs (1) magic value ("0x011954") which was not found.
George@GD216 ~/hdimage $ xxd.exe -a -g 4 ufs.image | grep "19015419" 0044550: 00000000 00000000 00000000 19015419 ..............T.
I then looked for the cylinder groups in the file system. The records have the following structure:
#define CG_MAGIC 0x090255
442 struct cg {
443 int32_t cg_firstfield; /* historic cyl groups linked list */
444 int32_t cg_magic; /* magic number */
445 int32_t cg_old_time; /* time last written */
446 int32_t cg_cgx; /* we are the cgx'th cylinder group */
447 int16_t cg_old_ncyl; /* number of cyl's this cg */
448 int16_t cg_old_niblk; /* number of inode blocks this cg */
449 int32_t cg_ndblk; /* number of data blocks this cg */
450 struct csum cg_cs; /* cylinder summary information */
451 int32_t cg_rotor; /* position of last used block */
452 int32_t cg_frotor; /* position of last used frag */
453 int32_t cg_irotor; /* position of last used inode */
[...]
Looking for the magic number yields 4 cylinder groups. Note that the second, third and fourth have been modified at the same time (probably when the file system was created - time 1096997352), while the first one was modified subsequently (time 1096997738). Therefore we should look for interesting files in there!
George@GD216 ~/hdimage $ xxd.exe -a -g 4 ufs.image | grep "55020900" 0008000: 00000000 55020900 6adb6241 00000000 ....U...j.bA.... 040c000: 00000000 55020900 e8d96241 01000000 ....U.....bA.... 0810000: 00000000 55020900 e8d96241 02000000 ....U.....bA.... 0c14000: 00000000 55020900 e8d96241 03000000 ....U.....bA....
reiserfs read-only mount
mount seems to change reiserfs only if it operates on a device if you access the file directly the image won't change if you don't use -o ro the image will certainly change
# no change mount -o loop,ro -t reiserfs testreiser test # change losetup /dev/loop0 testreiser mount -o ro -t reiserfs /dev/loop0 test # certain change mount -o loop -t reiserfs testreiser test
