Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Linux System Artifacts

    Загружено:

    test2012
    39 просмотров6 страниц
    1. UNIX operating systems include flavors like Solaris, AIX, HP-UX, FreeBSD, OpenBSD, and NetBSD as well as popular Linux distributions such as Red Hat, Fedora, Ubuntu, and Debian. 2. Linux uses files like /etc/fstab, /var/log/lastlog, /var/log/wtmp, and /var/log/messages to store important system information. It employs the extended file system (Ext2fs, Ext3fs, Ext4fs) which uses inodes to store file metadata and block numbers for file contents. 3. The Linux file system is organized into block groups containing blocks which are typically 4KB in size.

    Исходное описание:

    ppppp

    Оригинальное название

    Lecture 7

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    1. UNIX operating systems include flavors like Solaris, AIX, HP-UX, FreeBSD, OpenBSD, and NetBSD as well as popular Linux distributions such as Red Hat, Fedora, Ubuntu, and Debian. 2. Linux uses files like /etc/fstab, /var/log/lastlog, /var/log/wtmp, and /var/log/messages to store important system information. It employs the extended file system (Ext2fs, Ext3fs, Ext4fs) which uses inodes to store file metadata and block numbers for file contents. 3. The Linux file system is organized into block groups containing blocks which are typically 4KB in size.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    39 просмотров6 страниц

    Linux System Artifacts

    Загружено:

    test2012
    1. UNIX operating systems include flavors like Solaris, AIX, HP-UX, FreeBSD, OpenBSD, and NetBSD as well as popular Linux distributions such as Red Hat, Fedora, Ubuntu, and Debian. 2. Linux uses files like /etc/fstab, /var/log/lastlog, /var/log/wtmp, and /var/log/messages to store important system information. It employs the extended file system (Ext2fs, Ext3fs, Ext4fs) which uses inodes to store file metadata and block numbers for file contents. 3. The Linux file system is organized into block groups containing blocks which are typically 4KB in size.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 6

    1 UNIX and Linux

    !  UNIX flavors
    !  System V variants: Sun Solaris, IBM AIX, and HP-UX
    !  BSD variants: FreeBSD, OpenBSD, and NetBSD

    !  Linux distributions
    Linux System Artifacts !  Red Hat, Fedora, Ubuntu, and Debian
    !  Most consistent UNIX-like operating systems

    COMP 2555: Principles of Computer Forensics


    Autumn 2014 !  Linux kernel is regulated under the GNU General
    http://www.cs.du.edu/2555
    Public License (GPL) agreement

    L7: Linux System Artifacts


    2 UNIX and Linux
    3 Some Linux System Files

    !  BSD license is similar to the GPL


    System file Purpose
    !  But makes no requirements for derivative works /etc/fstab File system table of devices and mount points
    /var/log/lastlog Last login time of all users
    !  Some useful Linux commands to find information about /var/log/wtmp Logon and logoff history information
    your Linux system /var/run/utmp Current users’ logon information

    !  uname –a /var/log/messages System message log


    /etc/shadow Master password file for the local system
    !  ls –l
    /etc/group Group memberships for the local system
    !  ls –ul filename
    /dev/hda Device file for the first IDE hard drive
    !  netstat -s /proc/meminfo Memory usage information for both physical memory and
    swap space
    /proc/modules Lists currently loaded modules
    L7: Linux System Artifacts

    L7: Linux System Artifacts


    4 Extended File System
    5 Linux File System Terminology

    !  Linux file systems !  A block in Linux can be 1KB, 2KB, 4KB or 8KB
    !  Second Extended File System (Ext2fs) (analogous to Windows “cluster”)
    !  Ext3fs, journaling version of Ext2fs !  Decided when formatting the drive (4KB is typical)
    !  Now Ext4fs !  Block group
    !  A set of contiguous blocks
    !  Employs inodes (information/index nodes) !  A block group descriptor table specifies where each block
    !  Identified by a number group begins
    !  Contain information about one file or directory !  Inode
    !  Storesdata block numbers !  Fully describes a file/directory
    !  Keep internal link count !  Has information on the block numbers where a file’s content
    !  Deleted inodes have count value 0 resides

    L7: Linux System Artifacts

    L7: Linux System Artifacts


    !  Directories
    !  Specially structured files containing <name,inode> records

    6 Block Zero
    7 Block Groups

    !  Boot block !  Block group zero starts at offset 1024 bytes from the
    !  Contains the bootstrap code in the first sector beginning of the partition
    !  512 bytes !  When is block 0 part of block group 0?
    !  If block size > 1024 bytes

    !  Block groups 1 onwards start from other block


    numbers

    !  Number of blocks in a block group is at most 8 times


    the size of a block
    !  For 4KB block size, you can have at most 8 x 4096 = 32768
    blocks in a block group
    L7: Linux System Artifacts

    L7: Linux System Artifacts


    8 Blocks and Block Groups
    9 Super Block

    !  Indicates disk geometry, available space, and location of


    Block group 0 Block group 1
    the first inode, and other file system specific information
    !  1 KB of information

    !  Stored at offset 1024 bytes of partition (i.e. in block


    B
    o
    o
    Block Block Block Block Block group 0)
    t 1 2 3 4 5

    !  Redundant copies are also maintained


    !  First block of block groups 1 and powers of 3, 5, and 7 stores
    a duplicate of the super block
    Byte 1024

    L7: Linux System Artifacts

    L7: Linux System Artifacts


    Block groups with block size > 1024 bytes

    10 Super Block Structure


    11 Block Group Descriptor Table

    !  Offset 0x18: Logarithm of the block size (KB) : 32-bit !  Following the superblock
    !  Offset 0x20: Number of blocks per group : 32-bit !  Duplicates are maintained in block groups that also contain
    the superblock duplicate
    !  Offset 0x28: Number of inodes per group : 32-bit
    !  Information pertaining to all block groups
    !  Offset 0x38: 2 byte magic number identifying the file
    system !  Superblock has information to compute number of
    !  0xEF53 means ext block groups
    !  We can use it to determine how many blocks are required to
    store this table
    !  Other information
    !  The table is an array of BGD structures
    !  Number of free inodes and blocks across all groups
    !  Time when file system was last mounted/accessed/verified BGD 0 BGD 1 … BGD N
    L7: Linux System Artifacts

    L7: Linux System Artifacts


    !  Journaling files
    !  http://www.nongnu.org/ext2-doc/ext2.html
    12 BGD Structure
    13Remaining Ingredients of a Block Group
    !  Each BGD is 32 bytes !  Following the superblock and BGD table (if present) are
    !  Offset 0x0 to 0x3: !  Block bitmap: a bitmap indicating which blocks are available
    !  Block number of the first block of the block bitmap of the in the block group
    represented group !  Occupies exactly 1 block
    !  What is the maximum no. of blocks in a group?
    !  Offset 0x4 to 0x7:
    !  Inode table: an array of inodes
    !  Block number of the first block of the inode bitmap of the
    !  Each inode is 128 bytes
    represented group
    !  Superblock has information on how many inodes are there in a
    !  Offset 0x8 to 0xB: block group
    !  Block number of the first block of the inode table of the !  Inode number 2 is for the root directory
    represented group !  Inode bitmap: a bitmap indicating which inodes are available
    !  And more! in the block group

    L7: Linux System Artifacts

    L7: Linux System Artifacts


    !  Occupies exactly 1 block
    !  Data blocks

    14 The Big Picture


    15 Inode Structure

    Superblock <1 KB>


    !  Each inode is 128 bytes and tells us about a file/
    BGD Table <1 block>
    Some Reserved Blocks directory
    Block bitmap <1 block>
    Inode bitmap <1 block>
    Inode table
    !  Offset 0x0 to 0x1: Type of file and access rights
    Data
    Superblock <1 block>
    !  Uses special code values
    BGD Table <1 block>
    Some Reserved Blocks
    Block bitmap <1 block>
    !  Offset 0x8 to 0xB: File access time
    Inode bitmap <1 block>
    Inode table !  Offset 0xC to 0xF: File create time
    Data
    Block bitmap <1 block>
    Inode bitmap <1 block>
    !  Offset 0x10 to 0x13: File modify time
    Inode table
    Data !  Offset 0x28 to 0x63: Block pointers
    !  Tells us where the contents of this file are stored
    Superblock <1 block>
    BGD Table <1 block>
    Some Reserved Blocks
    L7: Linux System Artifacts

    L7: Linux System Artifacts


    Block bitmap <1 block>
    Inode bitmap <1 block>
    Inode table
    !  The name of the file is not stored in the inode
    Data
    ...
    !  Its part of the directory information!
    16 Some Code Values at Offset 0
    17 Inode Pointers
    Code Values (Hex) Description !  Each pointer is a 32-bit (4 byte) address of a block
    8000 Regular file
    !  A block number
    4000 Directory
    0800 UID on execution – set
    !  Pointers 1 to 12 are direct pointers
    0400 GID on execution – set !  Data blocks
    0100 Read by owner – allowed !  Pointer 13 is an indirect pointer
    0080 Write by owner – allowed !  It takes you to a data block that is full of more direct
    0040 Execution/search by owner – allowed pointers
    0020 Read by group – allowed
    !  Pointer 14 is a double indirect pointer
    0010 Write by group – allowed
    !  It takes you to a data block that is full of more indirect
    0008 Execution/search by group – allowed
    pointers
    0004 Read by others – allowed
    !  Pointer 15 is a triple indirect pointer

    L7: Linux System Artifacts

    L7: Linux System Artifacts


    0002 Write by others – allowed
    0001 Execution/search by others – allowed !  It takes you to a data block that is full of more double
    indirect pointers

    18 Inode Pointers (contd.)


    19 Some Other Information
    File Data (as big as block size)
    1037
    !  Bad block inode
    1
    !  Keeps track of disk’s bad sectors
    13
    2 !  Inode 1
    Info
    . 14 . !  Some forensics tools ignore this inode
    . . ? !  Commands: badblocks and e2fsck
    Pointer 1
    Pointer 2 . .
    12 .

    Pointer 12 1036 . ? !  Continuation inode
    Pointer 13 !  File A : part in block group X and part in block group Y
    Pointer 14 . !  Inodes in each block group
    Pointer 15
    ? !  Helps retrieve allocated blocks when parts of the file system
    get corrupted
    L7: Linux System Artifacts

    L7: Linux System Artifacts


    .
    20 Directories
    21 References

    !  A directory is just a file with specially formatted data !  Ch 8: B. Nelson, A. Phillips and C. Steuart, Guide to
    !  Linked list implementation Computer Forensics and Investigations. ISBN:
    !  An array of directory entries 978-1-435-49883-9
    !  Variable size !  Layout of ext2fs: http://www.nongnu.org/ext2-doc/ext2.html
    !  Offset 0 to 3: inode number corresponding to this entry !  Ext3 basic structure is same as ext2
    !  Offset 6: length of the name of this entry
    !  Offset 8 onwards: name of this entry
    !  First entry is always for itself (seen as a . when running
    ls)
    !  Second entry is always for the parent directory (..)
    Other implementations exist

    L7: Linux System Artifacts

    L7: Linux System Artifacts


    ! 
    !  E.g. B+-tree

    Вам также может понравиться