LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO...
Transcript of LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO...
![Page 1: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/1.jpg)
LINUX FORENSICS –MAGICAL MYSTERY TOURHal Pomeranz
![Page 2: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/2.jpg)
WHO IS HAL POMERANZ?Started as a Unix Sys Admin in the 1980sIndependent consultant since 1997Digital forensics, incident response, expert witnessHave done some interesting Linux/Unix investigations
[email protected]@hal_pomeranz
![Page 3: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/3.jpg)
LET’S TALK ABOUT EXTExt4 is the modern incarnation of a very old file system
Much of what you will see is inherited from 4.2 BSD’s FFS
When the old and new worlds mix is when things get fun!
![Page 4: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/4.jpg)
HAVING ATIMEStrict atime updates–
Useful for DFIRInefficient for file systems
Many file systems no longer update atime
Linux is weird…
![Page 5: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/5.jpg)
RELATIVE ATIMESUpdate atime on read if:
1. atime is more than 24 hours old *OR*2. atime is earlier than mtime or ctime
Result: atime now tends to indicate first use rather than last
![Page 6: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/6.jpg)
DIRECTORIESExt4 directories are unsorted lists of records:
Inode number (4 bytes)4-byte aligned entry length (2 bytes)File name length (1 byte)File type (1 byte)File name
![Page 7: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/7.jpg)
DELETING A FILEDirectory entry for deleted file unchanged
Previous directory entry “grows” to consume space
Result: See the file name and inode of deleted files!
![Page 8: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/8.jpg)
THE BAD NEWSExtent data is zeroed when files are deleted in Ext4
Knowing the inode of the deleted file doesn’t help!
Or does it..?
![Page 9: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/9.jpg)
BLOCK GROUPSBlocks are organized into Block Groups of 32K blocks
Each block group contains inodes and data blocksBlock and inode allocation bitmaps each occupy 1 blockMay also contain backup superblock, etc
Superblock(optional)
Group Desc Table(size varies)
Block/InodeBitmaps
Inodes(512 blocks)
Data Blocks(remainder)
![Page 10: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/10.jpg)
ALLOCATION STRATEGYNew directories are created in the least used block group
New files are added to same block group as directory
![Page 11: LINUX FORENSICS – MAGICAL MYSTERY TOUR · 2020. 8. 20. · MAGICAL MYSTERY TOUR Hal Pomeranz. WHO IS HAL POMERANZ? Started as a Unix Sys Admin in the 1980s Independent consultant](https://reader035.fdocuments.in/reader035/viewer/2022070213/6108a0f37bc4f237775d2d1d/html5/thumbnails/11.jpg)
DELETED DATA1. Use directory entry to determine inode of deleted file
2. Determine block group number from inode number
3. Search block group unallocated for deleted data
4. Profit?