Difference between revisions of "Summerschool Aachen 2004/Forensics Lab"

From C4 Wiki
Jump to: navigation, search
(Analysing the ufs.image.gz file system image)
Line 13: Line 13:
 
  $ xxd.exe -a -g 4 ufs.image | grep "19015419"
 
  $ xxd.exe -a -g 4 ufs.image | grep "19015419"
 
  0044550: 00000000 00000000 00000000 19015419  ..............T.
 
  0044550: 00000000 00000000 00000000 19015419  ..............T.
 +
 +
I then looked for the cylinder groups in the file system. The records have the following structure:
 +
 +
#define CG_MAGIC        0x090255
 +
442 struct cg {
 +
443        int32_t  cg_firstfield;        /* historic cyl groups linked list */
 +
444        int32_t  cg_magic;              /* magic number */
 +
445        int32_t  cg_old_time;          /* time last written */
 +
446        int32_t  cg_cgx;                /* we are the cgx'th cylinder group */
 +
447        int16_t  cg_old_ncyl;          /* number of cyl's this cg */
 +
448        int16_t  cg_old_niblk;          /* number of inode blocks this cg */
 +
449        int32_t  cg_ndblk;              /* number of data blocks this cg */
 +
450        struct  csum cg_cs;            /* cylinder summary information */
 +
451        int32_t  cg_rotor;              /* position of last used block */
 +
452        int32_t  cg_frotor;            /* position of last used frag */
 +
453        int32_t  cg_irotor;            /* position of last used inode */
 +
[...]
 +
 +
Looking for the magic number yields 4 cylinder groups. Note that the second, third and fourth have been modified at the same time (probably when the file system was created - time 1096997352), while the first one was modified subsequently (time 1096997738). Therefore we should look for interesting files in there!
 +
 +
George@GD216 ~/hdimage
 +
$ xxd.exe -a -g 4 ufs.image | grep "55020900"
 +
0008000: 00000000 55020900 6adb6241 00000000  ....U...j.bA....
 +
040c000: 00000000 55020900 e8d96241 01000000  ....U.....bA....
 +
0810000: 00000000 55020900 e8d96241 02000000  ....U.....bA....
 +
0c14000: 00000000 55020900 e8d96241 03000000  ....U.....bA....

Revision as of 15:03, 5 October 2004

Notes on Presentations

Notes on Lab Session

Analysing the ufs.image.gz file system image

I looked at the image ufs.image (available from here). First I tried to recognise what file system it is. For this I used the header file fs.h that contains the structures and magic fields of the ufs and ufs2 file systems.

I first looked for the magic value of ufs2 ("0x19540119"). Just to check I looked for the ufs (1) magic value ("0x011954") which was not found.

George@GD216 ~/hdimage
$ xxd.exe -a -g 4 ufs.image | grep "19015419"
0044550: 00000000 00000000 00000000 19015419  ..............T.

I then looked for the cylinder groups in the file system. The records have the following structure:

#define CG_MAGIC        0x090255
442 struct cg {
443         int32_t  cg_firstfield;         /* historic cyl groups linked list */
444         int32_t  cg_magic;              /* magic number */
445         int32_t  cg_old_time;           /* time last written */
446         int32_t  cg_cgx;                /* we are the cgx'th cylinder group */
447         int16_t  cg_old_ncyl;           /* number of cyl's this cg */
448         int16_t  cg_old_niblk;          /* number of inode blocks this cg */
449         int32_t  cg_ndblk;              /* number of data blocks this cg */
450         struct  csum cg_cs;             /* cylinder summary information */
451         int32_t  cg_rotor;              /* position of last used block */
452         int32_t  cg_frotor;             /* position of last used frag */
453         int32_t  cg_irotor;             /* position of last used inode */
[...]

Looking for the magic number yields 4 cylinder groups. Note that the second, third and fourth have been modified at the same time (probably when the file system was created - time 1096997352), while the first one was modified subsequently (time 1096997738). Therefore we should look for interesting files in there!

George@GD216 ~/hdimage
$ xxd.exe -a -g 4 ufs.image | grep "55020900"
0008000: 00000000 55020900 6adb6241 00000000  ....U...j.bA....
040c000: 00000000 55020900 e8d96241 01000000  ....U.....bA....
0810000: 00000000 55020900 e8d96241 02000000  ....U.....bA....
0c14000: 00000000 55020900 e8d96241 03000000  ....U.....bA....