OPERATING SYSTEMS

Frans Sanen

Use some tools capable of analyzing several file systems to understand their functioning The Sleuth Kit (TSK)

http://www.sleuthkit.org

2

To check the contents of a file systeme.g. fls –f fat fat12.img

Inode number can be passed as an extra argument

Option –r tells fls to list the contents recursively

Option –l gives further information such as access times and file size

3

To check the contents of a fileE.g. icat –f fat fat12.img 229 > /tmp/vbje.jpg

Shell’s command redirection possibilites can be used to save binary data

Pipes also can be used Option –r tries to recover a deleted file Option –s will read the last block of the

file entirely (contents of slack space become visible)

4

To check the meta-data from a particular inodeE.g. istat –f fat fat12.img 229

5

ifind retrieves in which meta-data structure a certain block is allocated (cluster number gives us the inode)E.g. ifind –f fat –d 147 fat12.img

ffind searches for the filename of the file which belongs to a certain nodeE.g. ffind –f fat –d fat12.img 229

Use the image practical.floppy.dd and Verify the MD5 sum

2f4791784e2af37cf196e6a72cc79d99 Create a list of all files (only files!) on the

filesystem Which sectors are occupied by the file

matrixs3.jpg? In fat12.img, a secret message is hidden

What is it and where is it hidden? Tip: it contains the word “plezier”.

How can you display it using TSK?7

Sorts files in a file system by category Perl script using fls and icat tools

E.g. sorter –f fat –d tmp/sorter/ fat12.imgE.g. cat tmp/sorter/unknown.txt

Text file per recognized file type is created

Option –s creates a directory besides every text file in which all categorized files are copied into

8

In the example in the task description, sorter gives an extension mismatch: explain shortly.

Use sorter to export all files from the image pratical.floppy.dd.

Extra: Use sorter to only export the pictures out of the same image, but without extension mismatch check.

9

Simple web interface build upon TSK tools Normally not included in Knoppix

apt-get update apt-get install foremost autopsy

Server can be started with command ‘autopsy’

Surf to http://localhost:9999/autopsy

10

sigfind looks for hexadecimal patterns (examples are included in task description) Similar to grep for ASCII patterns

foremost supports filecarving for different file types like jpg, gif, pdf, doc, etc.

E.g. foremost –t jpg –o tmp/jpgs fat12.img

11

Suppose you are looking for jpg files. Why should you use both a tool like sorter and a tool like foremost? Describe a situation in which sorter skips or

not correctly finds a certain jpg when the jpg physically exists on disk.

Validate your thoughts on image 8 from http://dftt.sourceforge.net

12