1 UNIX and Linux

!  UNIX flavors
!  System V variants: Sun Solaris, IBM AIX, and HP-UX
!  BSD variants: FreeBSD, OpenBSD, and NetBSD

!  Linux distributions
Linux System Artifacts !  Red Hat, Fedora, Ubuntu, and Debian
!  Most consistent UNIX-like operating systems

COMP 2555: Principles of Computer Forensics

Autumn 2014 !  Linux kernel is regulated under the GNU General
http://www.cs.du.edu/2555
Public License (GPL) agreement

L7: Linux System Artifacts

2 UNIX and Linux
3 Some Linux System Files

!  BSD license is similar to the GPL

System file Purpose
!  But makes no requirements for derivative works /etc/fstab File system table of devices and mount points
/var/log/lastlog Last login time of all users
!  Some useful Linux commands to find information about /var/log/wtmp Logon and logoff history information
your Linux system /var/run/utmp Current users’ logon information

!  uname –a /var/log/messages System message log

/etc/shadow Master password file for the local system
!  ls –l
/etc/group Group memberships for the local system
!  ls –ul filename
/dev/hda Device file for the first IDE hard drive
!  netstat -s /proc/meminfo Memory usage information for both physical memory and
swap space
/proc/modules Lists currently loaded modules
L7: Linux System Artifacts

L7: Linux System Artifacts

4 Extended File System
5 Linux File System Terminology

!  Linux file systems !  A block in Linux can be 1KB, 2KB, 4KB or 8KB
!  Second Extended File System (Ext2fs) (analogous to Windows “cluster”)
!  Ext3fs, journaling version of Ext2fs !  Decided when formatting the drive (4KB is typical)
!  Now Ext4fs !  Block group
!  A set of contiguous blocks
!  Employs inodes (information/index nodes) !  A block group descriptor table specifies where each block
!  Identified by a number group begins
!  Contain information about one file or directory !  Inode
!  Storesdata block numbers !  Fully describes a file/directory
!  Keep internal link count !  Has information on the block numbers where a file’s content
!  Deleted inodes have count value 0 resides

L7: Linux System Artifacts

L7: Linux System Artifacts

!  Directories
!  Specially structured files containing <name,inode> records

6 Block Zero
7 Block Groups

!  Boot block !  Block group zero starts at offset 1024 bytes from the
!  Contains the bootstrap code in the first sector beginning of the partition
!  512 bytes !  When is block 0 part of block group 0?
!  If block size > 1024 bytes

!  Block groups 1 onwards start from other block

numbers

!  Number of blocks in a block group is at most 8 times

the size of a block
!  For 4KB block size, you can have at most 8 x 4096 = 32768
blocks in a block group
L7: Linux System Artifacts

L7: Linux System Artifacts

8 Blocks and Block Groups
9 Super Block

!  Indicates disk geometry, available space, and location of

Block group 0 Block group 1
the first inode, and other file system specific information
!  1 KB of information

!  Stored at offset 1024 bytes of partition (i.e. in block

B
o
o
Block Block Block Block Block group 0)
t 1 2 3 4 5

!  Redundant copies are also maintained

!  First block of block groups 1 and powers of 3, 5, and 7 stores
a duplicate of the super block
Byte 1024

L7: Linux System Artifacts

L7: Linux System Artifacts

Block groups with block size > 1024 bytes

10 Super Block Structure

11 Block Group Descriptor Table

!  Offset 0x18: Logarithm of the block size (KB) : 32-bit !  Following the superblock
!  Offset 0x20: Number of blocks per group : 32-bit !  Duplicates are maintained in block groups that also contain
the superblock duplicate
!  Offset 0x28: Number of inodes per group : 32-bit
!  Information pertaining to all block groups
!  Offset 0x38: 2 byte magic number identifying the file
system !  Superblock has information to compute number of
!  0xEF53 means ext block groups
!  We can use it to determine how many blocks are required to
store this table
!  Other information
!  The table is an array of BGD structures
!  Number of free inodes and blocks across all groups
!  Time when file system was last mounted/accessed/verified BGD 0 BGD 1 … BGD N
L7: Linux System Artifacts

L7: Linux System Artifacts

!  Journaling files
!  http://www.nongnu.org/ext2-doc/ext2.html
12 BGD Structure
13Remaining Ingredients of a Block Group
!  Each BGD is 32 bytes !  Following the superblock and BGD table (if present) are
!  Offset 0x0 to 0x3: !  Block bitmap: a bitmap indicating which blocks are available
!  Block number of the first block of the block bitmap of the in the block group
represented group !  Occupies exactly 1 block
!  What is the maximum no. of blocks in a group?
!  Offset 0x4 to 0x7:
!  Inode table: an array of inodes
!  Block number of the first block of the inode bitmap of the
!  Each inode is 128 bytes
represented group
!  Superblock has information on how many inodes are there in a
!  Offset 0x8 to 0xB: block group
!  Block number of the first block of the inode table of the !  Inode number 2 is for the root directory
represented group !  Inode bitmap: a bitmap indicating which inodes are available
!  And more! in the block group

L7: Linux System Artifacts

L7: Linux System Artifacts

!  Occupies exactly 1 block
!  Data blocks

14 The Big Picture

15 Inode Structure

Superblock <1 KB>

!  Each inode is 128 bytes and tells us about a file/
BGD Table <1 block>
Some Reserved Blocks directory
Block bitmap <1 block>
Inode bitmap <1 block>
Inode table
!  Offset 0x0 to 0x1: Type of file and access rights
Data
Superblock <1 block>
!  Uses special code values
BGD Table <1 block>
Some Reserved Blocks
Block bitmap <1 block>
!  Offset 0x8 to 0xB: File access time
Inode bitmap <1 block>
Inode table !  Offset 0xC to 0xF: File create time
Data
Block bitmap <1 block>
Inode bitmap <1 block>
!  Offset 0x10 to 0x13: File modify time
Inode table
Data !  Offset 0x28 to 0x63: Block pointers
!  Tells us where the contents of this file are stored
Superblock <1 block>
BGD Table <1 block>
Some Reserved Blocks
L7: Linux System Artifacts

L7: Linux System Artifacts

Block bitmap <1 block>
Inode bitmap <1 block>
Inode table
!  The name of the file is not stored in the inode
Data
...
!  Its part of the directory information!
16 Some Code Values at Offset 0
17 Inode Pointers
Code Values (Hex) Description !  Each pointer is a 32-bit (4 byte) address of a block
8000 Regular file
!  A block number
4000 Directory
0800 UID on execution – set
!  Pointers 1 to 12 are direct pointers
0400 GID on execution – set !  Data blocks
0100 Read by owner – allowed !  Pointer 13 is an indirect pointer
0080 Write by owner – allowed !  It takes you to a data block that is full of more direct
0040 Execution/search by owner – allowed pointers
0020 Read by group – allowed
!  Pointer 14 is a double indirect pointer
0010 Write by group – allowed
!  It takes you to a data block that is full of more indirect
0008 Execution/search by group – allowed
pointers
0004 Read by others – allowed
!  Pointer 15 is a triple indirect pointer

L7: Linux System Artifacts

L7: Linux System Artifacts

0002 Write by others – allowed
0001 Execution/search by others – allowed !  It takes you to a data block that is full of more double
indirect pointers

18 Inode Pointers (contd.)

19 Some Other Information
File Data (as big as block size)
1037
!  Bad block inode
1
!  Keeps track of disk’s bad sectors
13
2 !  Inode 1
Info
. 14 . !  Some forensics tools ignore this inode
. . ? !  Commands: badblocks and e2fsck
Pointer 1
Pointer 2 . .
12 .
…
Pointer 12 1036 . ? !  Continuation inode
Pointer 13 !  File A : part in block group X and part in block group Y
Pointer 14 . !  Inodes in each block group
Pointer 15
? !  Helps retrieve allocated blocks when parts of the file system
get corrupted
L7: Linux System Artifacts

L7: Linux System Artifacts

.
20 Directories
21 References

!  A directory is just a file with specially formatted data !  Ch 8: B. Nelson, A. Phillips and C. Steuart, Guide to
!  Linked list implementation Computer Forensics and Investigations. ISBN:
!  An array of directory entries 978-1-435-49883-9
!  Variable size !  Layout of ext2fs: http://www.nongnu.org/ext2-doc/ext2.html
!  Offset 0 to 3: inode number corresponding to this entry !  Ext3 basic structure is same as ext2
!  Offset 6: length of the name of this entry
!  Offset 8 onwards: name of this entry
!  First entry is always for itself (seen as a . when running
ls)
!  Second entry is always for the parent directory (..)
Other implementations exist

L7: Linux System Artifacts

L7: Linux System Artifacts

! 
!  E.g. B+-tree