1 / 43

CSCS496 Computer Forensics

Lecture 9 Introducing Unix for Forensics Winter 2010. CSCS496 Computer Forensics. Introduction. Unix/Linux systems, different than Windows Non-proprietary Open source code available to all Good guys and less good guys All have access and develop tools Unix/Linux has many variations

layne
Download Presentation

CSCS496 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 9 Introducing Unix for Forensics Winter 2010 CSCS496Computer Forensics

  2. Introduction • Unix/Linux systems, different than Windows • Non-proprietary • Open source code available to all • Good guys and less good guys • All have access and develop tools • Unix/Linux has many variations • Sun Solarix, AIX, HP-UX, Linux (more all the time), OpenBSD, FreeBSD plus others

  3. Introduction • Most e-commerce Web sites, corporate financial DB’s on Unix or Linux systems • Most Unix distributions have their own system utilities • Need to know which ones are good for forensics analysis • Unix/Linux file systems are substantially different than Windows • Look at these file systems today

  4. Unix File Concept • ToUNIX, everything is a file. • Write to hard disk, you write to a file. • Read from keyboard, is to read from a file • Store backups on a tape device is to write to a file. • Even read from memory, is to read from a file • If file from which you are trying to read or to which you are trying to write is "normal" file • Process easy to understand: File is opened and you read or write data • If the device you want to access is a special device file • Work needs to be done before the read or write operation can begin

  5. File Types in Unix • Five types of files are supported • Talk about four of them • Simple file • Directory • Symbolic, soft link • Special file • Named pipe (FIFO) (won’t discuss this type)‏

  6. File Types in Unix • Simple file • Used to store information and data on secondary storage device, disk • Contains source code, executable programs, pictures, video and audio streams • Unix doesn’t impose naming convention like Windows • Traditional ones recognized by Unix users • .c, .txt, .ps, .html, .gif and .jpg

  7. File Types in Unix • Directory • Contains names of other files or directories • Also contains file inode numbers • Inode is an index node associated with a file when it is created • An index created by Kernel into a file table that tracks all files in the system • Also contains other information about the file • Dates, size and ownership

  8. File Types in Unix • Link file • Link a special type of file that allows one file to be shared by two directories without duplicating it • Symbolic or hard link to an existing file • More on next slide ... • Special file (Device)‏ • Special file allows access to the hardware devices – printer, CD and DVD drives, hard disk etc • Found in the /dev directory • More on this later ...

  9. Link File Type • Most UNIX file systems, including ext2, support file type known as a link ... (now ext3, ext4)‏ • There are two type of links, hard links and soft or symbolic links • Link allow files to appear in more than one directory • Hard links cannot span file systems, and is an additional reference to file stored in that file system. • Deleting "original" file will not remove file until last hard link has been removed as well (link count = zero)‏ • Symbolic links special type of file only stores path to "original" file, and this type of file can span file systems. Deleting a symbolic link will not delete the "original" file, and deleting the original file will not remove the link, but leave it unresolved -rw-r--r-- 2 awilliam users 0 Oct 12 22:29 original -rw-r--r-- 2 awilliam users 0 Oct 12 22:29 original.hardlink lrwxrwxrwx 1 awilliam users 8 Oct 12 22:29 original.symlink -> original

  10. Unix File Systems • At the root of each file system • Is the superblock • Describes and maintains state for the file system • Every object that is managed within a file system is represented in Linux as an inode • Inode structures • Every file in Unix file system is accessed through an inode structure – short for index node • Indexes the file’s location • Contains information about file’s owner, permissions, access times, file size, pointers to data blocks

  11. Inode example – passwd file passwd root directory inode: 229377 inode 229505 blocks (/etc directory)‏ owner/groupID permission file type time stamps reference count file size in bytes data blocks #’s Data 163841: var 212993: tmp 229377: etc passwd: 229505 group: 229509 fstab: 229747 Data

  12. Inode Structure for a file Note: Files less than or equal to twelve data blocks in length are more quickly accessed than larger files First twelve are pointers to the physical blocks containing the data described by this inode Last three pointers contain more and more levels of indirection.

  13. Accessing the /etc/passwd file • First, look in superblock of file system • Find sector of inode number to locate root directory • Then, reads root directory to find entry to /etc directory, • inode = 229377 • Reads data blocks until finds entry for passwd • Accesses inode = 229505 • Reads data blocks associated with passwd

  14. Inode Information • stat /etc/passwd File :/etc/passwd Size: 614 Filetype: Regular File Mode: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: (0/ root)‏ Device: 3,5 Inode: 229505 Links: 1 Access: Sat Apr 22 21:04:39 2004 Last read access Modify: Thu Apr 20 21:31:52 2004 Last modify of file Change: Thu Apr 20:21:31:52 2004 Last modify of file, or change to owner, access or number links

  15. Inode information • Linux maintains date and time stamps for files inode structure • Creation date, modification date, access date • Updated as changes are made to files • As in Windows, important for evidence • Permissions on files important too • Get inode information other than stat • ls –i gives inode number • ls –F identifies file type • ls –l long information – ownership, size, permissions

  16. File Permissions • Chmod • Changes file permissions • Read, Write, Execute – for user, group and all others • Uses numbers in octal, accumulate for each permission • Execute – x =1 • Write – w = 2 • Read – r = 4 • Example: to give read,write,execute permission to user, but only read,execute to group and all other $ chmod 755 sortit $ ls –l sortit -rwxr-xr-x 1 ctaylor faculty 0 Apr 24 01:47 sortit • Added 1+2+4 = 7 for user and 1+4 = 5 for group, others User Group Other

  17. File Permissions • Chmod Second way • Can also use character based way to change the file • You are changing permissions for: • Users u Example: • Groups g chmod ugo+rw .login • Others o • Adding + • Removing – • Read r • Write w • Execute x

  18. File Systems • When disks are initialized, • A partition structure divides physical disk into a number of logical partitions • Each partition may hold a single file system, for example EXT2 file system • File systems organize files into logical hierarchical structures with directories held in blocks on physical devices • Devices that can contain file systems are known as block devices

  19. Difference Between Devices • Whats the difference between a block and character device in Linux? • Block devices are devices where data that moves to and from them occurs in blocks, and supports attributes such as buffering and random access behavior • Block devices include hard drives, CD-ROMs, and RAM disks • Character devices, do not have a physically-addressable media • Character devices include serial ports and tape devices, in which data is streamed character by character

  20. File Systems • Linux's file systems, • Does not matter if different file systems are on different physical media controlled by different hardware controllers • File system might not even be on the local system, it could be a disk remotely mounted over a network link • User never notices (in theory ...)‏

  21. Ext2 File System • Second Extended File system was devised (by Rémy Card) • Extensible and powerful file system for Linux • It is the most successful file system so far in the Linux community • Has since been extended by Ext3 and Ext4 http://olstrans.sourceforge.net/release/OLS2000-ext3/OLS2000-ext3.html http://en.wikipedia.org/wiki/Ext3

  22. Ext2 File System • EXT2 file system as occupying a series of blocks in a block structured device

  23. Ext2 File System • EXT2 file system divides logical partition that it occupies into Block Groups • Each group duplicates information critical to integrity of file system as well as holding real files and directories as blocks of information and data. • Duplication is necessary should a disaster occur and the file system need recovering

  24. Ext2 Superblock • Superblock contains description size and shape of this file system • Information within it allows file system manager to use and maintain the file system • Usually only Superblock in Block Group 0 is read when file system is mounted • Yet each Block Group contains duplicate copy in case of file system corruption. Amongst other information it holds ...

  25. Ext2 Superblock • Magic Number • Allows mounting software to check that this is indeed the Superblock for an EXT2 file system. Current version of EXT2 this is 0xEF53 • Block Group Number • Block Group number that holds this copy of the Superblock • Block Size • Size of block for this file system in bytes, for example 1024 bytes • Blocks per Group • Number of blocks in a group. Like the block size this is fixed when the file system is created

  26. Ext2 Superblock • Free Blocks • Number of free blocks in the file system • Free Inodes • Number of free Inodes in the file system • First Inode • Inode number of the first inode in the file system • First inode in an EXT2 root file system would be the directory entry for the '/' directory.

  27. Ext2 Block Descriptor • Each Block Group has a data structure describing it which is duplicated in each Block Group in case of file system corruption • Each Group Descriptor contains the following information: • Blocks Bitmap • Block number of the block allocation bitmap for this Block Group. • Used during block allocation and deallocation, • Inode Bitmap • Block number of the inode allocation bitmap for this Block Group. • Used during inode allocation and deallocation,

  28. Ext2 Block Descriptor • Each Group Descriptor continued • Inode Table • Block number of starting block for inode table for this Block Group. • Each inode is represented by the EXT2 inode data structure described previously • Free blocks count, Free Inodes count, Used directory count

  29. Ext2 Block Descriptor • Group descriptors are placed one after another • Together they make the group descriptor table • Each Blocks Group contains the entire table of group descriptors after its copy of the Superblock • Only first copy (in Block Group 0) is actually used by the EXT2 file system • Other copies are there, like the copies of the Superblock, in case the main copy is corrupted

  30. Disk Partitions • Windows • No real concept of partitions • Typically users use entire disk, C:\, D:\ or A:\ • Can partition disk for multiple OS’s • Unix/Linux • Encourage users to partition disk • At least, have /root and swap partitions • Typically, more partitions for several reasons

  31. Partition Names • In Linux, partitions are represented by device files • These are pseudo files located in /dev. Here are a few entries, which come from executing `ls -l` while in the /dev directory: brw-rw---- 1 root disk 3, 0 May 5 1998 hda brw-rw---- 1 root disk 8, 0 May 5 1998 sda crw-------- 1 root tty 4, 64 May 5 1998 ttyS0 • A device file is a file with type • c ( for "character" devices, devices that don’t use buffer cache)‏ • b (for "block" devices, which go through the buffer cache)‏ • In listing above, see first character of each line • In Linux, all disks are represented as block devices only

  32. Partition Names • IDE drives will be given device names /dev/hda to /dev/hdd • Hard Drive A(/dev/hda) is the first drive and Hard Drive C /dev/hdc) is the third drive but on the second controller name controller drive # /dev/hda 1 1 /dev/hdb 1 2 /dev/hdc 2 1 /dev/hdd 2 2 • PC has two IDE controllers, usually, each of which can have two drives connected to it

  33. Partition Names • Once a drive has been partitioned, partitions are represented as numbers on end of the names • For example, • First partition on first drive • /dev/hda1 • Second partition on second drive • /dev/hdb2

  34. Device Numbers • The only important thing with a device file are its major and minor device numbers, which are shown instead of the file size: • $ ls -l /dev/hda brw-rw---- 1 root disk 3, 0 Jul 18 1994 /dev/hda permissions owner group major minor date device name number number • When accessing a device file, the major number selects which device driver is being called to perform the input/output operation • Call is done with minor number as parameter and it is up to driver how minor number is interpreted • Driver documentation usually describes how the driver uses minor numbers

  35. Partition Types • A partition is labeled to host a certain kind of file system • Could be standard ext2 file system or linux swap space, or even foreign file systems like (Microsoft) NTFS or (Sun) UFS • Numerical code associated with each partition type • For example, code for ext2 is 0x83 and linux swap is 0x82 • See list of partition types and their codes, • /sbin/sfdisk -T

  36. Partition Types • Primary Partitions • Number of partitions on an Intel-based system was limited from the very beginning • Original partition table was installed as part of the boot sector and held space for only four partition entries • These partitions are now called primary partitions

  37. Partition Types • Limit of 4 primary partitions hdb hdb1 hdb2 hdb3 hdb4

  38. Partition Types • Yet, one primary partition of hard drive may be subpartitioned • Logical partitions • Allows us to skirt the historical four partition limitation

  39. Partition Types • Example of two primary partitions and two logical hdb hdb1 hdb2 hdb5 hdb6

  40. Partition Types Partition Table name drive controller part type part number /dev/hdb1 1 2 primary 1 /dev/hdb2 1 2 extended NA /dev/hdb5 1 2 logical 2 /dev/hdb6 1 2 logical 3 Primary partition used to house the logical partitions is called an extended partition and it has its own file system type (0x05)‏ Unlike primary partitions, logical partitions must be contiguous Each logical partition contains a pointer to the next logical partition Limit is 15 partitions total for SCSI disks and 63 total on an IDE disk

  41. Summary • Began to look at disk and file structure of Linux/Unix systems • Lots of native Unix tools to examine these structures • Will look at these more next time • Also, many Unix/Linux special tools for forensics analysis

  42. References • Ext3 • http://en.wikipedia.org/wiki/Ext3 • Ext4 • http://en.wikipedia.org/wiki/Ext3 • Book on File Systems by Brian Carrier • http://www.digital-evidence.org/fsfa/index.html

  43. Finish • Next time • More on Unix tools – dd and others • Book • Chapter 8 of text

More Related