FAT

Table of contents:

UFS2 Extended Attributes

UFS2 files and directories can have extended attributes, which are user or system assigned name and value pairs. Extended attributes are stored in normal data blocks, and the block addresses are given in the inode. Each block contains a list of variable length data structures that have the fields shown in Table 17.9.

Table 17.9. Data structure for the UFS2 extended attribute entry.

Byte Range

Description

Essential

03

Record length

Yes

44

Namespace (see Table 17.10)

No

55

Content padding

Yes

66

Name length

Yes

7(7 + name length)

Name

Yes

(After name and padded to 8-byte boundary)

Value

Yes

The name is padded so that the value starts on an 8-byte boundary. The value also is padded so that the next entry starts on an 8-byte boundary. The amount of padding for the name can be calculated using the name length and the amount of padding for the value is given in byte 5. The namespace value can take on one of the values given in Table 17.10.

Table 17.10. Values for the extended attribute name space field.

Value

Description

1

User

2

System

Here we see the contents of an extended attribute block with two attributes:


0000000: 3000 0000 0107 0673 6f75 7263 6500 0000 0......source...

0000016: 7777 7777 2e64 6967 6974 616c 2d65 7669 wwww.digital-evi

0000032: 6465 6e63 652e 6f72 6700 0000 0000 0000 dence.org.......

0000048: 2000 0000 0104 0464 6174 6500 0000 0000 ......date.....

0000064: 4175 6720 3132 2c20 3230 3034 0000 0000 Aug 12, 2004....

0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................

Bytes 0 to 3 show the record length as 48 bytes (0x30). Byte 4 shows the namespace as 1, which means it is a user attribute. We see that there are seven bytes of padding in the content, the name length is six bytes, and that the name is "source." The name ends in byte 12, so the next 8-byte boundary is byte 16. To find the ending location of the value, we subtract the starting byte from the record length and the padding length (48167 = 25). The value is the string "www.digital-evidence.org."

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net