Sun Solaris Slices

The Solaris operating system from Sun Microsystems is used in large servers and desktop systems. It uses two different types of partitioning systems depending on the size of the disk and the version of Solaris. Solaris 9 introduced support for file systems larger than 1-terrabyte and uses EFI partition tables because they have a 64-bit address field [Sun 2003]. EFI partitions are described in the next section.

All other versions of Solaris use data structures that are similar to the BSD disk label that we just looked at. In fact, the primary data structure is also called a disk label, although the actual layout of the structure is different. This may not be surprising considering that the layout is even different for Sparc-based Solaris and i386-based Solaris. To make things confusing and difficult to remember, the names of the Solaris data structures are the same as the BSD ones, but the names of the media compartments are different. Solaris uses the term "slice" for each of its partitions. For simplicity, I will use the term "Solaris partition" in this section, but keep in mind that other books will likely use the proper term. I will break this discussion into three sections and first discuss the general characteristics of the Solaris architecture, then the Sparc data structure specifics, and finally the i386 data structure specifics.

General Overview

When you install Solaris, a disk label structure is created on the disk. The exact location is based on the hardware platform so that will be discussed more in later sections. The disk label has a maximum number of partitions that it can describe, and the maximum is eight for Sparc systems and 16 for i386.

Each partition in the disk label is described with its starting location, size, a set of flags, and a type. The flags tell you if the partition is read only and if it cannot be mounted, such as the swap space. In the other partition systems that we have seen in this book, the type field was used to describe the file system type, but in Solaris it typically describes the mounting point of the partition. For example, some types specify the home, usr, or var partitions, and others specify the swap space or unassigned. A full listing of types is given in the "Data Structures" section.

Solaris uses a cryptic, but scalable, naming convention for the partitions. When you are in a Solaris environment, the block devices can be found in the /dev/dsk/ directory, and the raw devices can be found in the /dev/rdsk/ directory. Within those directories, the Solaris partitions (or slices) have names such as cWtXdYsZ in a Sparc system and cWdYsZ in an i386 system. In the name, the W is replaced by the controller number, X is replaced by the physical bus target number (SCSI ID), Y is replaced by the drive number on the bus, and Z is replaced by the slice number on the drive. For example, if your Sparc system has only one controller, the disk is SCSI ID 6, and you want slice 5, you would access the raw device at /dev/rdsk/c0t6d0s5.

With Solaris, it is common for a partition to have a location in the disk label table that is based on its mounting point. This is not a requirement, but a disk that has the operating system on it will typically use the naming convention given in Table 6.8.

Table 6.8. The typical partition that is created in each table entry.

Table Entry

Description

0

/root/partitionThe operating system and kernel

1

Swap space

2

The entire disk, including the disk label and all partitions

3

/export/ partition

4

/export/swap/ partition

5

/opt/ partition

6

/usr/ partition

7

/home/ partition

Additional disks that are added to the system may only have one partition on them, and that partition may use partitions entry 5, 6, or 7.

Sparc Data Structures

On a Sparc system, the disk label structure is created in the first sector of the disk, sector 0. Sectors 115 contain the "bootblock," which is the boot code for the system, and sectors 16 and above are partitioned to store file systems and swap space. Solaris uses a UFS file system, and we will see in Chapter 16 that the file system starts in sector 16. We can see the layout of an example Sparc disk in Figure 6.5.

Figure 6.5. The layout of a Sun Sparc disk where the disk label and boot code are located in the first partition.

The layout of the disk label can be confusing because the layout information for the Solaris partitions is not in one location. There are two data structures within the disk label structure that hold the partition data. The VTOC structure contains the number of partitions and the type, permissions, and timestamps for each, but the starting location and size of each partition is stored in the disk map structure. The contents of the Sparc disk label are given in Table 6.9.

Table 6.9. Data structure for the Sun Sparc disk label.

Byte Range

Description

Essential

0127

ASCII Label

No

128261

Sparc VTOC (see Table 6.10)

Yes

262263

Sectors to skip, writing

No

264265

Sectors to skip, reading

No

266419

Reserved

No

420421

Disk speed

No

422423

Number of physical cylinders

No

424425

Alternates per cylinder

No

426429

Reserved

No

430431

Interleave

No

432433

Number of data cylinders

No

434435

Number of alternate cylinders

No

436437

Number of heads

Yes

438439

Number of sectors per track

Yes

440443

Reserved

No

444451

Partition #1 disk map (see Table 6.13)

Yes

452459

Partition #2 disk map (see Table 6.13)

Yes

460467

Partition #3 disk map (see Table 6.13)

Yes

468475

Partition #4 disk map (see Table 6.13)

Yes

476483

Partition #5 disk map (see Table 6.13)

Yes

484491

Partition #6 disk map (see Table 6.13)

Yes

492499

Partition #7 disk map (see Table 6.13)

Yes

500507

Partition #8 disk map (see Table 6.13)

Yes

508509

Signature Value (0xDABE)

No

510511

Checksum

No

The VTOC can be found in bytes 128 to 261. This structure tells you how many partitions there are (bytes 1213) and the flags, type, and a timestamp for each partition. The VTOC has the fields given in Table 6.10.

Table 6.10. Data structure for the VTOC in Sun Sparc disk labels.

Byte Range

Description

Essential

03

Version (0x01)

No

411

Volume Name

No

1213

Number of Partitions

Yes

1415

Partition #1 type (see Table 6.11)

No

1617

Partition #1 flags (see Table 6.12)

No

1819

Partition #2 type (see Table 6.11)

No

2021

Partition #2 flags (see Table 6.12)

No

2223

Partition #3 type (see Table 6.11)

No

2425

Partition #3 flags (see Table 6.12)

No

2627

Partition #4 type (see Table 6.11)

No

2829

Partition #4 flags (see Table 6.12)

No

3031

Partition #5 type (see Table 6.11)

No

3233

Partition #5 flags (see Table 6.12)

No

3435

Partition #6 type (see Table 6.11)

No

3637

Partition #6 flags (see Table 6.12)

No

3839

Partition #7 type (see Table 6.11)

No

4041

Partition #7 flags (see Table 6.12)

No

4243

Partition #8 type (see Table 6.11)

No

4445

Partition #8 flags (see Table 6.12)

No

4657

Boot info

No

5859

Reserved

No

6063

Signature Value (0x600DDEEE)

No

64101

Reserved

No

102105

Partition #1 timestamp

No

106109

Partition #2 timestamp

No

110113

Partition #3 timestamp

No

114117

Partition #4 timestamp

No

118121

Partition #5 timestamp

No

122125

Partition #6 timestamp

No

126129

Partition #7 timestamp

No

130133

Partition #8 timestamp

No

The type field for each of the partitions in the VTOC specifies what the partition is used for and where it should be mounted. The operating system will use a different configuration file, though, when it comes time to actually mount the file systems. So just because the type is set for the /usr/ partition does not mean that it will be mounted as /usr/. The Solaris disk label structure does not specify the file system type for each partition, as other partition systems do. The partition type can have the values given in Table 6.11.

Table 6.11. Type values for each Sun partition (used for both Sparc and i386).

Value

Description

0

Unassigned

1

partition /boot/

2

/ partition

3

Swap

4

/usr/ partition

5

The entire disk

6

/stand/ partition

7

/var/ partition

8

/home/ partition

9

Alternate sector partition

10

cachefs partition

Each partition also has a flags field, and it can have the values given in Table 6.12 (or none of them):

Table 6.12. Flag values of each Sun partition (used for both Sparc and i386).

Value

Description

1

The partition cannot be mounted

128

The partition is read-only

The previous information is useful, but the most important part of the disk label, for this discussion, is the location of the partitions. The disk map structures, not the VTOC, contain the starting cylinder and size of each partition. The disk map structures are located at the end of the disk label structure and have the fields given in Table 6.13.

Table 6.13. Data structure for the Sun Sparc disk label disk map.

Byte Range

Description

Essential

03

Starting Cylinder

Yes

47

Size

Yes

We care about the starting sector and not the cylinder, so we will need to convert this valueit is actually quite simple. Recall that cylinder address X is the collection of tracks at address X on each platter in a disk. To convert the cylinder address to a sector address, we multiply the cylinder value with the number of sectors per track and the number of heads (which can both be found in the disk label structure).

For example, consider a disk with 15 heads and 63 sectors per track. If the starting cylinder were 1,112, then we would calculate


63 * 15 * 1,112 = 1,050,840

Therefore, we would use sector 1,050,840 to extract the data and examine the data with our tools that support the LBA addressing scheme.

Let's get our hands dirty with some data structures and a hex editor. The following is the first sector of a Solaris Sparc hard disk:


# dd if=sparc-disk.dd bs=512 count=1 | xxd

0000000: 4d61 7874 6f72 2038 3532 3530 4136 2063 Maxtor 85250A6 c

0000016: 796c 2031 3038 3534 2061 6c74 2032 2068 yl 10854 alt 2 h

0000032: 6420 3135 2073 6563 2036 3300 0000 0000 d 15 sec 63.....

0000048: 0000 0000 0000 0000 0000 0000 0000 0000 ................

[REMOVED - ZEROS]

0000128: 0000 0001 0000 0000 0000 0000 0008 0002 ................

0000144: 0000 0003 0001 0005 0000 0000 0000 0000 ................

0000160: 0000 0007 0000 0004 0000 0008 0000 0000 ................

0000176: 0000 0000 0000 0000 0000 0000 600d deee ............`...

[REMOVED - ZEROS]

0000416: 0000 0000 1518 2a68 0000 0000 0000 0001 ......*h........

0000432: 2a66 0002 000f 003f 0000 0000 0000 0826 *f.....?.......&

0000448: 0020 b06b 0000 0000 0010 0176 0000 0000 . .k.......v....

0000464: 009c 8286 0000 0000 0000 0000 0000 0000 ................

0000480: 0000 0000 0000 0609 0007 cd0d 0000 1101 ................

0000496: 005d bdd5 0000 0458 0006 3e61 dabe 1ffe .].....x..>a....

A Sparc system uses big-endian ordering, and therefore you do not need to reverse the numbers. The first eight lines show the 128-byte ASCII label, which describes the type of hard disk. The VTOC starts at 128 and bytes 140 to 141 show that there are 8 partitions in the structure. From bytes 142 to 173 we can see the 2-byte type and 2-byte flag fields for each partition. For example, the first partition has its type value in bytes 142 to 143 and it is 2, which is the / partition. Its flag value is in bytes 144 to 145, and it is 0. Bytes 146 to 147 show that the second partition has a type of 3 (swap space) and bytes 148 to 149 show that its flag is 1 (not mountable).

Bytes 436 to 437 show us that there are 15 (0x0f) heads and bytes 438 to 439 show that there are 63 (0x3f) sectors per track. We will need this to convert the cylinder addresses.

The layout information starts at byte 444, and the starting cylinder and size are both 4-byte values. The first partition has a starting cylinder of 2,086 (0x00000826) and a size of 2,142,315 (0x0020b06b) sectors. Recall that this partition had a type for the / partition. To calculate the starting sector, we multiply


15 * 63 * 2,086 = 1,971,270

This partition is in the first slot, and therefore it would be "slice 0" for the disk, even though it starts thousands of sectors into the disk. The next partition is described in bytes 452 to 459, and its starting cylinder is 0 with a size of 1,048,950 (0x00100176) sectors. This is the swap space for the system and it is "slice 1." The third partition entry, "slice 2," is usually for the entire disk, and it is located in bytes 460 to 467. Its starting cylinder is 0 and size is 10,257,030 (0x009c8286) sectors.

The Sparc disk label can be viewed with several tools, but not all are useful during an investigation. The format and prtvtoc commands in Solaris can be run only on a device, not on a disk image file. The fdisk command in Linux can be used to list the partitions from a Sparc disk image though. You also can use the mmls tool in The Sleuth Kit with the -t sun flag. Running mmls on the example image gives:


# mmls t sun sparc-disk.dd

Sun VTOC

Units are in 512-byte sectors



 Slot Start End Length Description

00: 01 0000000000 0001048949 0001048950 swap (0x03)

01: 02 0000000000 0010257029 0010257030 backup (0x05)

02: 07 0001050840 0001460024 0000409185 /home/ (0x08)

03: 05 0001460025 0001971269 0000511245 /var/ (0x07)

04: 00 0001971270 0004113584 0002142315 / (0x02)

05: 06 0004113585 0010257029 0006143445 /usr/ (0x04)

 

i386 Data Structures

When Solaris is installed on an i386 system, one or more DOS-based partitions must be first created. A typical installation will create a boot partition (DOS partition type 0xBE) and a partition with the file systems (DOS partition type 0x82). The boot partition contains the boot code needed to start the system and does not contain an actual file system. The disk label structure is located in the second sector of the file system DOS partition (type 0x82) and it describes the layout of the Sun partitions inside of that DOS partition. All Sun partitions must start after the start of the DOS partition. We can see this in Figure 6.6, where there is a disk with three DOS partitions, and the final one contains a disk label and three Sun partitions.

Figure 6.6. An i386 Sun disk with three DOS partitions. The final one contains a disk label and three Sun partitions.

The disk label structure is 512 bytes in size and is better organized than the Sparc version because all the partition information is in one location. Another benefit of the i386 version is that the information is stored by using LBA addresses and not CHS. Other than those differences, the two structures are very similar. The first 456 bytes of the disk label are called the Volume Table of Contents (VTOC), and this is where the partitions, disk label, sector size, and number of partitions is located. The disk label data structure is given in Table 6.14.

Table 6.14. Data structure for the Sun i386 disk label.

Byte Range

Description

Essential

011

Bootinfo

No

1215

Signature Value (0x600DDEEE)

No

1619

Version

No

2027

Volume Name

No

2829

Sector size

Yes

3031

Number of Partitions

Yes

3271

Reserved

No

7283

Partition #1 (see Table 6.15)

Yes

8495

Partition #2 (see Table 6.15)

Yes

96107

Partition #3 (see Table 6-15)

Yes

108119

Partition #4 (see Table 6.15)

Yes

120131

Partition #5 (see Table 6.15)

Yes

132143

Partition #6 (see Table 6.15)

Yes

144155

Partition #7 (see Table 6.15)

Yes

156167

Partition #8 (see Table 6.15)

Yes

168179

Partition #9 (see Table 6.15)

Yes

180191

Partition #10 (see Table 6.15)

Yes

192203

Partition #11 (see Table 6.15)

Yes

204215

Partition #12 (see Table 6.15)

Yes

216227

Partition #13 (see Table 6.15)

Yes

228239

Partition #14 (see Table 6.15)

Yes

240251

Partition #15 (see Table 6.15)

Yes

252263

Partition #16 (see Table 6.15)

Yes

264327

Timestamps (not used)

No

328455

Volume Label

No

456507

Hardware Details

No

508509

Signature Value (0xDABE)

No

510511

Checksum

No

Each of the 16 partition entries has the data structure given in Table 6.15.

Table 6.15. Data structure for the Sun i386 disk label partition entry.

Byte Range

Description

Essential

01

Partition Type (see Table 6.11)

No

23

Flag (see Table 6.12)

No

47

Starting Sector

Yes

811

Size in Sectors

Yes

The type and flag fields use the same values that were described in the preceding section on Sparc data structures. To identify the partitions that an i386 Solaris system has, the partition entries in the VTOC are examined, and the layout is determined using the starting sector and the size. The starting sector is relative to the DOS-based partition (the one with type 0x82). In our example disk image, the DOS partition with the disk label starts in sector 22,496. Therefore, the disk label is located in 22,497, shown here:


# dd if=i386-disk.dd bs=512 skip=22497 | xxd

0000000: 0000 0000 0000 0000 0000 0000 eede 0d60 ...............'

0000016: 0100 0000 0000 0000 0000 0000 0002 1000 ................

0000032: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000048: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000064: 0000 0000 0000 0000 0200 0000 c00e 1000 ................

0000080: 0082 3e00 0300 0100 d00b 0000 f002 1000 ..>.............

0000096: 0500 0000 0000 0000 309a 7001 0000 0000 ........0.p.....

0000112: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000128: 0000 0000 0400 0000 c090 4e00 2000 fa00 ..........N. ...

0000144: 0000 0000 0000 0000 0000 0000 0800 0000 ................

0000160: e090 4801 0041 1f00 0100 0100 0000 0000 ..H..A..........

0000176: f003 0000 0900 0100 f003 0000 e007 0000 ................

[REMOVED - ZEROS]

0000320: 0000 0000 0000 0000 4445 4641 554c 5420 ........DEFAULT

0000336: 6379 6c20 3233 3936 3420 616c 7420 3220 cyl 23964 alt 2

0000352: 6864 2031 3620 7365 6320 3633 0000 0000 hd 16 sec 63....

[REMOVED - ZEROS]

0000448: 0000 0000 0000 0000 9e5d 0000 9c5d 0000 .........]...]..

0000464: 0200 0000 1000 0000 3f00 0000 0100 0000 ........?.......

0000480: 0000 100e 0000 0000 0000 0000 0000 0000 ................

0000496: 0000 0000 0000 0000 0000 0000 beda a24a ...............J

This is from an i386 system, which means that the values are stored in little-endian ordering. At offset 30 we see that there are 16 (0x10) partitions in the table. The first partition entry begins at offset 72 and ends at offset 83. Bytes 72 to 73 show us that it has a type of 0x02, which is the root partition. The starting sector is given in bytes 76 to 79 and we see 1,052,352 (0x00100EC0). Bytes 80 to 83 give the partition size and we see 4,096,512 (0x003e8200). There are 10 partitions being used in this disk label, and the last one is located at bytes 180 to 191. The timestamps are all zero, and the volume name is "DEFAULT" with the disk geometry information.

For an i386 disk image, you can use any DOS-partition tool to list where the boot partition and file systems partitions are located. Here is the output from running mmls on an i386 Solaris disk:


# mmls t dos i386-disk.dd

DOS Partition Table

Units are in 512-byte sector

 Slot Start End Length Description

00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)

01: ----- 0000000001 0000001007 0000001007 Unallocated

02: 00:00 0000001008 0000022175 0000021168 Solaris 8 Boot (0xBE)

03: ----- 0000022176 0000022495 0000000320 Unallocated

04: 00:01 0000022496 0024180911 0024158416 Linux Swap / Solaris x86 (0x82)

Recall that the 0xBE type partition contains the boot code and does not contain a file system. The file systems and disk label structure are located in the 0x82-type partition. You can get the same output using the fdisk tool in Linux, but fdisk will not list the Solaris partitions in the disk label. To view the file systems, you can either extract the partition that starts at 22,496 or simply call mmls with the -o flag to set the offset.


# mmls t sun -o 22496 disk8.dd

Sun VTOC

Units are in 512-byte sectors

 Slot Start End Length Description

00: 02 0000000000 0024156719 0024156720 backup (0x05)

01: 08 0000000000 0000001007 0000001008 boot (0x01)

02: 09 0000001008 0000003023 0000002016 alt sector (0x09)

03: 01 0000003024 0001052351 0001049328 swap (0x03)

04: 00 0001052352 0005148863 0004096512 / (0x02)

05: 05 0005148864 0021532895 0016384032 /usr/ (0x04)

06: 07 0021532896 0023581151 0002048256 /home/ (0x08)

Recall that these addresses are relative to the start of the DOS partition, so you will have to add 22,496 to any of the starting sector addresses when you extract them with dd. I have found that when you boot Linux with an i386 Solaris disk as one of the slave disks, Linux makes devices for only the first eight of the Solaris partitions. Devices are not created for any of the partitions after the first eight.

Analysis Considerations

The special considerations for a Solaris investigation are the same ones that other partition systems have. There are some unused values in the disk label structure, and they could be used to store data, although there is not much unused space.

As with other partition systems, the 'type' field in the partition description is not enforced. Just because the disk label structure says that the partition is for the /var/ partition or swap space does not mean that it is. As always, look at the disk for unused space.

If the location of the disk label cannot be determined, a search can be performed using the signature values. The signature value of 0x600DDEEE exists inside the disk label, and 0xDABE exists in bytes 508 to 509.

Summary

Solaris systems are common in corporate settings and will be investigated for intrusions and cases of fraud. This section has shown how Solaris organizes its disks and how the layout can be listed and extracted. The disk label structure is fairly simple, and it can be read with the fdisk or mmls tools.

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net