Summerschool Aachen 2004/Forensics Lab

From C4 Wiki
Jump to: navigation, search

Notes on Presentations

Notes on Lab Session

Analysing the ufs.image.gz file system image

I looked at the image ufs.image (available from here). First I tried to recognise what file system it is. For this I used the header file fs.h that contains the structures and magic fields of the ufs and ufs2 file systems.

I first looked for the magic value of ufs2 ("0x19540119"). Just to check I looked for the ufs (1) magic value ("0x011954") which was not found.

George@GD216 ~/hdimage
$ xxd.exe -a -g 4 ufs.image | grep "19015419"
0044550: 00000000 00000000 00000000 19015419  ..............T.

I then looked for the cylinder groups in the file system. The records have the following structure:

#define CG_MAGIC        0x090255
442 struct cg {
443         int32_t  cg_firstfield;         /* historic cyl groups linked list */
444         int32_t  cg_magic;              /* magic number */
445         int32_t  cg_old_time;           /* time last written */
446         int32_t  cg_cgx;                /* we are the cgx'th cylinder group */
447         int16_t  cg_old_ncyl;           /* number of cyl's this cg */
448         int16_t  cg_old_niblk;          /* number of inode blocks this cg */
449         int32_t  cg_ndblk;              /* number of data blocks this cg */
450         struct  csum cg_cs;             /* cylinder summary information */
451         int32_t  cg_rotor;              /* position of last used block */
452         int32_t  cg_frotor;             /* position of last used frag */
453         int32_t  cg_irotor;             /* position of last used inode */

Looking for the magic number yields 4 cylinder groups. Note that the second, third and fourth have been modified at the same time (probably when the file system was created - time 1096997352), while the first one was modified subsequently (time 1096997738). Therefore we should look for interesting files in there!

George@GD216 ~/hdimage
$ xxd.exe -a -g 4 ufs.image | grep "55020900"
0008000: 00000000 55020900 6adb6241 00000000  ....U...j.bA....
040c000: 00000000 55020900 e8d96241 01000000  ....U.....bA....
0810000: 00000000 55020900 e8d96241 02000000  ....U.....bA....
0c14000: 00000000 55020900 e8d96241 03000000  ....U.....bA....

reiserfs read-only mount

mount seems to change reiserfs only if it operates on a device if you access the file directly the image won't change if you don't use -o ro the image will certainly change

# no change 
mount -o loop,ro -t reiserfs testreiser test

# change
losetup /dev/loop0 testreiser
mount -o ro -t reiserfs /dev/loop0 test

# certain change
mount -o loop -t reiserfs testreiser test