Overview of Toolkits

Table of contents:

Directory Entries

Directory entry data structures store the names of files and directories. They are located in the blocks that have been allocated to a directory. Each data structure contains the name of the file and the inode address where the metadata can be found. The directory entry data structure for UFS1 and UFS2 has the fields given in Table 17.11.

Table 17.11. Data structure for UFS1 and UFS2 directory entry.

Byte Range

Description

Essential

03

Inode value

Yes

45

Directory entry length

Yes

66

Name length

Yes

77

File type (see Table 17.12)

No

8+

Name in ASCII

Yes

The file type flag can have one of the values from Table 17.12.

Table 17.12. Values for the directory entry type field.

Type Value

Description

0

Unknown type

1

FIFO

2

Character device

4

Directory

6

Block device

8

Regular file

10

Symbolic Link

12

Socket

14

Whiteout

The flags have the same names as we saw with ExtX, except for the whiteout type. It is used when a file system has been mounted with the union option and there exist two files with the same name. The whiteout type is used as a flag for the duplicate file, and the OS will not show it to the user (like applying whiteout to a typo).

The directory entry length field is used to locate the next allocated directory entry, and the name length field is used to both determine where the name ends and determine how long the entry needs to be. Refer to the "File Name Category" section of Chapter 14 for details on how directory entries are allocated and unallocated.

Here are the contents of a UFS1 directory from our image:


# icat f openbsd openbsd.dd 1921 | xxd

0000000: 8107 0000 0c00 0401 2e00 0000 0200 0000 ................

0000016: 0c00 0402 2e2e 0000 8c07 0000 1400 0809 ................

0000032: 6669 6c65 312e 7478 7400 93e7 8d07 0000 file1.txt.......

0000048: 1400 0809 6669 6c65 382e 7478 7400 93e7 ....file8.txt...

0000064: 8e07 0000 2800 0809 6669 6c65 372e 7478 ....(...file7.tx

0000080: 7400 93e7 8f07 0000 1400 0809 6669 6c65 t...........file

0000096: 362e 7478 7400 93e7 9007 0000 1400 0809 6.txt...........

0000112: 6669 6c65 352e 7478 7400 93e7 9107 0000 file5.txt.......

0000128: 2800 0809 6669 6c65 342e 7478 7400 93e7 (...file4.txt...

0000144: 9207 0000 1400 0809 6669 6c65 332e 7478 ........file3.tx

[REMOVED]

We dissected a directory in the ExtX Data Structures chapter, so I will show only some of the highlights of this output. The first four bytes show the inode of the '.' entry, which we can verify is inode 1921 (0x0781). Bytes 24 to 27 are the inode field of the first file entry, which is file1.txt and at inode 1,932 (0x078c). Bytes 68 to 69 are for the length field for the file7.txt file, and it is 40 bytes (0x28), but the name is only nine bytes long. The next entry, for file6.txt, has been deleted, and the length field for file7.txt file points to the entry after file6.txt.

The directory listing for this directory is as follows:


# fls -f openbsd a openbsd.dd 1921

d/d 1921: .

d/d 2: ..

r/r 1932: file1.txt

r/r 1933: file8.txt

r/r 1934: file7.txt

r/- * 1935: file6.txt

r/r 1936: file5.txt

r/r 1937: file4.txt

r/- * 1938: file3.txt

r/r 1939: file2.txt

r/- * 1940: file10.txt

r/r 1941: file9.txt


Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net