1 / 12

Labo 2 – Semi-automated analysis of file systems

Labo 2 – Semi-automated analysis of file systems. OPERATING SYSTEMS Frans Sanen. Goals & Tools. Use some tools capable of analyzing several file systems to understand their functioning The Sleuth Kit (TSK) http://www.sleuthkit.org. 2. fls. To check the contents of a file system

urvi
Download Presentation

Labo 2 – Semi-automated analysis of file systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Labo 2 – Semi-automated analysis of file systems OPERATING SYSTEMS Frans Sanen

  2. Goals & Tools • Use some tools capable of analyzing several file systems to understand their functioning • The Sleuth Kit (TSK) • http://www.sleuthkit.org 2

  3. fls • To check the contents of a file system e.g. fls –f fat fat12.img • Inode number can be passed as an extra argument • Option –r tells fls to list the contents recursively • Option –l gives further information such as access times and file size 3

  4. icat • To check the contents of a file E.g. icat –f fat fat12.img 229 > /tmp/vbje.jpg • Shell’s command redirection possibilites can be used to save binary data • Pipes also can be used • Option –r tries to recover a deleted file • Option –s will read the last block of the file entirely (contents of slack space become visible) 4

  5. istat • To check the meta-data from a particular inode E.g. istat –f fat fat12.img 229 5

  6. ifind & ffind • ifind retrieves in which meta-data structure a certain block is allocated (cluster number gives us the inode) E.g. ifind –f fat –d 147 fat12.img • ffind searches for the filename of the file which belongs to a certain node E.g. ffind –f fat –d fat12.img 229

  7. Exercise • Use the image practical.floppy.dd and • Verify the MD5 sum • 2f4791784e2af37cf196e6a72cc79d99 • Create a list of all files (only files!) on the filesystem • Which sectors are occupied by the file matrixs3.jpg? • In fat12.img, a secret message is hidden • What is it and where is it hidden? • Tip: it contains the word “plezier”. • How can you display it using TSK? 7

  8. sorter • Sorts files in a file system by category • Perl script using fls and icat tools E.g. sorter –f fat –d tmp/sorter/ fat12.img E.g. cat tmp/sorter/unknown.txt • Text file per recognized file type is created • Option –s creates a directory besides every text file in which all categorized files are copied into 8

  9. Exercise • In the example in the task description, sorter gives an extension mismatch: explain shortly. • Use sorter to export all files from the image pratical.floppy.dd. • Extra: Use sorter to only export the pictures out of the same image, but without extension mismatch check. 9

  10. autopsy • Simple web interface build upon TSK tools • Normally not included in Knoppix • apt-get update • apt-get install foremost autopsy • Server can be started with command ‘autopsy’ • Surf to http://localhost:9999/autopsy 10

  11. sigfind & foremost • sigfind looks for hexadecimal patterns (examples are included in task description) • Similar to grep for ASCII patterns • foremost supports filecarving for different file types like jpg, gif, pdf, doc, etc. • E.g. foremost –t jpg –o tmp/jpgs fat12.img 11

  12. Exercise • Suppose you are looking for jpg files. Why should you use both a tool like sorter and a tool like foremost? • Describe a situation in which sorter skips or not correctly finds a certain jpg when the jpg physically exists on disk. • Validate your thoughts on image 8 from http://dftt.sourceforge.net 12

More Related