Difference between revisions of "Summerschool Aachen 2004/Forensics Lab"

From C4 Wiki
Jump to: navigation, search
(Analysing the ufs.image.gz file system image)
Line 7: Line 7:
  
 
I looked at the image ufs.image (available from [http://discovery.informatik.rwth-aachen.de/pub/summerschool/Forensics/DiskImages/ufs.image.gz here]). First I tried to recognise what file system it is. For this I used the header file [http://fxr.watson.org/fxr/source/ufs/ffs/fs.h fs.h] that contains the structures and magic fields of the ufs and ufs2 file systems.
 
I looked at the image ufs.image (available from [http://discovery.informatik.rwth-aachen.de/pub/summerschool/Forensics/DiskImages/ufs.image.gz here]). First I tried to recognise what file system it is. For this I used the header file [http://fxr.watson.org/fxr/source/ufs/ffs/fs.h fs.h] that contains the structures and magic fields of the ufs and ufs2 file systems.
 +
 +
I first looked for the magic value of ufs2 ("0x19540119"). Just to check I looked for the ufs (1) magic value ("0x011954") which was not found.
 +
 +
George@GD216 ~/hdimage
 +
$ xxd.exe -a -g 4 ufs.image | grep "19015419"
 +
0044550: 00000000 00000000 00000000 19015419  ..............T.

Revision as of 14:57, 5 October 2004

Notes on Presentations

Notes on Lab Session

Analysing the ufs.image.gz file system image

I looked at the image ufs.image (available from here). First I tried to recognise what file system it is. For this I used the header file fs.h that contains the structures and magic fields of the ufs and ufs2 file systems.

I first looked for the magic value of ufs2 ("0x19540119"). Just to check I looked for the ufs (1) magic value ("0x011954") which was not found.

George@GD216 ~/hdimage
$ xxd.exe -a -g 4 ufs.image | grep "19015419"
0044550: 00000000 00000000 00000000 19015419  ..............T.