Transcript CS 447/557 Computer Forensics

CSCS496
Computer Forensics
Lecture 9
Introducing Unix for Forensics
Winter 2010
1
Introduction
• Unix/Linux systems, different than Windows
• Non-proprietary
– Open source code available to all
• Good guys and less good guys
• All have access and develop tools
• Unix/Linux has many variations
• Sun Solarix, AIX, HP-UX, Linux (more all the time),
OpenBSD, FreeBSD plus others
2
Introduction
• Most e-commerce Web sites, corporate
financial DB’s on Unix or Linux systems
• Most Unix distributions have their own
system utilities
– Need to know which ones are good for
forensics analysis
• Unix/Linux file systems are substantially
different than Windows
– Look at these file systems today
3
Unix File Concept
• To UNIX, everything is a file.
–
–
–
–
Write to hard disk, you write to a file.
Read from keyboard, is to read from a file
Store backups on a tape device is to write to a file.
Even read from memory, is to read from a file
• If file from which you are trying to read or to which you
are trying to write is "normal" file
– Process easy to understand: File is opened and you read or
write data
• If the device you want to access is a special device file
– Work needs to be done before the read or write operation can
begin
4
File Types in Unix
• Five types of files are supported
– Talk about four of them
– Simple file
– Directory
– Symbolic, soft link
– Special file
– Named pipe (FIFO) (won’t discuss this type)
5
File Types in Unix
• Simple file
– Used to store information and data on
secondary storage device, disk
– Contains source code, executable programs,
pictures, video and audio streams
– Unix doesn’t impose naming convention like
Windows
– Traditional ones recognized by Unix users
• .c, .txt, .ps, .html, .gif and .jpg
6
File Types in Unix
• Directory
– Contains names of other files or directories
– Also contains file inode numbers
• Inode is an index node associated with a file when
it is created
• An index created by Kernel into a file table that
tracks all files in the system
• Also contains other information about the file
– Dates, size and ownership
7
File Types in Unix
• Link file
– Link a special type of file that allows one file to be
shared by two directories without duplicating it
– Symbolic or hard link to an existing file
– More on next slide ...
• Special file (Device)
– Special file allows access to the hardware devices –
printer, CD and DVD drives, hard disk etc
– Found in the /dev directory
– More on this later ...
8
Link File Type
• Most UNIX file systems, including ext2, support file type known as a
link ... (now ext3, ext4)
• There are two type of links, hard links and soft or symbolic links
• Link allow files to appear in more than one directory
– Hard links cannot span file systems, and is an additional reference to
file stored in that file system.
– Deleting "original" file will not remove file until last hard link has been
removed as well (link count = zero)
– Symbolic links special type of file only stores path to "original" file, and
this type of file can span file systems. Deleting a symbolic link will not
delete the "original" file, and deleting the original file will not remove the
link, but leave it unresolved
-rw-r--r-- 2 awilliam users 0 Oct 12 22:29 original
-rw-r--r-- 2 awilliam users 0 Oct 12 22:29 original.hardlink
lrwxrwxrwx 1 awilliam users 8 Oct 12 22:29 original.symlink -> original
9
Unix File Systems
• At the root of each file system
– Is the superblock
– Describes and maintains state for the file system
• Every object that is managed within a file system is
represented in Linux as an inode
• Inode structures
• Every file in Unix file system is accessed through an
inode structure – short for index node
• Indexes the file’s location
• Contains information about file’s owner, permissions,
access times, file size, pointers to data blocks
10
Inode example – passwd file
root directory
163841: var
212993: tmp
229377: etc
passwd
inode: 229377
(/etc directory)
passwd: 229505
group: 229509
fstab: 229747
inode 229505
owner/groupID
permission
file type
time stamps
reference count
file size in bytes
data blocks #’s
blocks
Data
Data
11
Inode Structure for a file
Note: Files less than or equal to
twelve data blocks in length are
more quickly accessed than
larger files
First twelve are pointers to
the physical blocks containing
the data described by this inode
Last three pointers
contain more and
more levels of indirection.
12
Accessing the /etc/passwd file
• First, look in superblock of file system
– Find sector of inode number to locate root
directory
– Then, reads root directory to find entry to /etc
directory,
• inode = 229377
– Reads data blocks until finds entry for passwd
• Accesses inode = 229505
• Reads data blocks associated with passwd
13
Inode Information
• stat /etc/passwd
File :/etc/passwd
Size: 614 Filetype: Regular File
Mode: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: (0/ root)
Device: 3,5 Inode: 229505 Links: 1
Access: Sat Apr 22 21:04:39 2004 Last read access
Modify: Thu Apr 20 21:31:52 2004 Last modify of file
Change: Thu Apr 20:21:31:52 2004 Last modify of file, or
change to owner,
access or number links
14
Inode information
• Linux maintains date and time stamps for files
inode structure
–
–
–
–
Creation date, modification date, access date
Updated as changes are made to files
As in Windows, important for evidence
Permissions on files important too
• Get inode information other than stat
– ls –i gives inode number
– ls –F identifies file type
– ls –l long information – ownership, size, permissions
15
File Permissions
• Chmod
– Changes file permissions
•
•
•
•
•
•
User
Group
Read, Write, Execute – for user, group and all others
Uses numbers in octal, accumulate for each permission
Execute – x =1
Write – w = 2
Read – r = 4
Example: to give read,write,execute permission to user, but
only read,execute to group and all other
$ chmod 755 sortit
$ ls –l sortit
-rwxr-xr-x 1 ctaylor faculty 0 Apr 24 01:47 sortit
• Added 1+2+4 = 7 for user and 1+4 = 5 for group, others
Other
16
File Permissions
• Chmod Second way
• Can also use character based way to change the
file
• You are changing permissions for:
– Users u
– Groups g
– Others o
Example:
chmod ugo+rw .login
– Adding +
– Removing –
– Read
r
– Write w
– Execute x
17
File Systems
• When disks are initialized,
– A partition structure divides physical disk into
a number of logical partitions
– Each partition may hold a single file system,
for example EXT2 file system
– File systems organize files into logical
hierarchical structures with directories held in
blocks on physical devices
– Devices that can contain file systems are
known as block devices
18
Difference Between Devices
• Whats the difference between a block and
character device in Linux?
– Block devices are devices where data that moves to and
from them occurs in blocks, and supports attributes such
as buffering and random access behavior
• Block devices include hard drives, CD-ROMs, and
RAM disks
– Character devices, do not have a physically-addressable
media
• Character devices include serial ports and tape
devices, in which data is streamed character by
19
character
File Systems
• Linux's file systems,
– Does not matter if different file systems are on
different physical media controlled by different
hardware controllers
– File system might not even be on the local
system, it could be a disk remotely mounted
over a network link
– User never notices (in theory ...)
20
Ext2 File System
• Second Extended File system was
devised (by Rémy Card)
• Extensible and powerful file system for
Linux
– It is the most successful file system so far in
the Linux community
– Has since been extended by Ext3 and Ext4
http://olstrans.sourceforge.net/release/OLS2000ext3/OLS2000-ext3.html
http://en.wikipedia.org/wiki/Ext3
21
Ext2 File System
• EXT2 file system as occupying a series of blocks in a
block structured device
22
Ext2 File System
• EXT2 file system divides logical partition
that it occupies into Block Groups
– Each group duplicates information critical to
integrity of file system as well as holding real
files and directories as blocks of information
and data.
– Duplication is necessary should a disaster
occur and the file system need recovering
23
Ext2 Superblock
• Superblock contains description size and
shape of this file system
– Information within it allows file system
manager to use and maintain the file system
– Usually only Superblock in Block Group 0 is
read when file system is mounted
• Yet each Block Group contains duplicate copy in
case of file system corruption. Amongst other
information it holds ...
24
Ext2 Superblock
• Magic Number
– Allows mounting software to check that this is indeed the
Superblock for an EXT2 file system. Current version of
EXT2 this is 0xEF53
• Block Group Number
– Block Group number that holds this copy of the Superblock
• Block Size
– Size of block for this file system in bytes, for example 1024
bytes
• Blocks per Group
– Number of blocks in a group. Like the block size this is
fixed when the file system is created
25
Ext2 Superblock
• Free Blocks
– Number of free blocks in the file system
• Free Inodes
– Number of free Inodes in the file system
• First Inode
– Inode number of the first inode in the file system
– First inode in an EXT2 root file system would be
the directory entry for the '/' directory.
26
Ext2 Block Descriptor
• Each Block Group has a data structure describing it
which is duplicated in each Block Group in case of file
system corruption
• Each Group Descriptor contains the
following information:
– Blocks Bitmap
• Block number of the block allocation bitmap for this
Block Group.
• Used during block allocation and deallocation,
– Inode Bitmap
• Block number of the inode allocation bitmap for
this Block Group.
• Used during inode allocation and deallocation,
27
Ext2 Block Descriptor
– Each Group Descriptor continued
– Inode Table
• Block number of starting block for inode table for
this Block Group.
• Each inode is represented by the EXT2 inode data
structure described previously
– Free blocks count, Free Inodes count, Used
directory count
28
Ext2 Block Descriptor
• Group descriptors are placed one after another
– Together they make the group descriptor table
– Each Blocks Group contains the entire table of group
descriptors after its copy of the Superblock
– Only first copy (in Block Group 0) is actually used by
the EXT2 file system
– Other copies are there, like the copies of the
Superblock, in case the main copy is corrupted
29
Disk Partitions
• Windows
– No real concept of partitions
– Typically users use entire disk, C:\, D:\ or A:\
– Can partition disk for multiple OS’s
• Unix/Linux
– Encourage users to partition disk
– At least, have /root and swap partitions
– Typically, more partitions for several reasons
30
Partition Names
• In Linux, partitions are represented by device files
• These are pseudo files located in /dev. Here are a few
entries, which come from executing `ls -l` while in the
/dev directory:
brw-rw---brw-rw---crw--------
1 root
1 root
1 root
disk
disk
tty
3, 0 May 5 1998 hda
8, 0 May 5 1998 sda
4, 64 May 5 1998 ttyS0
• A device file is a file with type
– c ( for "character" devices, devices that don’t use buffer cache)
– b (for "block" devices, which go through the buffer cache)
• In listing above, see first character of each line
• In Linux, all disks are represented as block devices only
31
Partition Names
• IDE drives will be given device names /dev/hda to /dev/hdd
• Hard Drive A(/dev/hda) is the first drive and Hard Drive C /dev/hdc)
is the third drive but on the second controller
name controller drive #
/dev/hda
1
1
/dev/hdb
1
2
/dev/hdc
2
1
/dev/hdd
2
2
• PC has two IDE controllers, usually, each of which can have two
drives connected to it
32
Partition Names
• Once a drive has been partitioned,
partitions are represented as numbers on
end of the names
– For example,
• First partition on first drive
– /dev/hda1
• Second partition on second drive
– /dev/hdb2
33
Device Numbers
• The only important thing with a device file are its major and minor
device numbers, which are shown instead of the file size:
• $ ls -l /dev/hda
brw-rw---permissions
1 root
owner
disk
3,
0
Jul 18 1994 /dev/hda
group major minor
date
device name
number number
• When accessing a device file, the major number selects which
device driver is being called to perform the input/output operation
• Call is done with minor number as parameter and it is up to driver
how minor number is interpreted
• Driver documentation usually describes how the driver uses minor
numbers
34
Partition Types
• A partition is labeled to host a certain kind of file
system
– Could be standard ext2 file system or linux swap
space, or even foreign file systems like (Microsoft)
NTFS or (Sun) UFS
– Numerical code associated with each partition
type
• For example, code for ext2 is 0x83 and linux swap
is 0x82
• See list of partition types and their codes,
– /sbin/sfdisk -T
35
Partition Types
• Primary Partitions
– Number of partitions on an Intel-based system
was limited from the very beginning
• Original partition table was installed as part of the
boot sector and held space for only four partition
entries
• These partitions are now called primary partitions
36
Partition Types
• Limit of 4 primary partitions
hdb
hdb1
hdb2
hdb3
hdb4
37
Partition Types
• Yet, one primary partition of hard drive
may be subpartitioned
• Logical partitions
– Allows us to skirt the historical four partition
limitation
38
Partition Types
• Example of two primary partitions and two
logical
hdb
hdb1
hdb2
hdb5
hdb6
39
Partition Types
Partition Table
name
/dev/hdb1
/dev/hdb2
/dev/hdb5
/dev/hdb6
drive controller part type
1 2 primary 1
1 2 extended
NA
1 2 logical
2
1 2 logical
3
part number
Primary partition used to house the logical partitions is called an extended
partition and it has its own file system type (0x05)
Unlike primary partitions, logical partitions must be contiguous
Each logical partition contains a pointer to the next logical partition
Limit is 15 partitions total for SCSI disks and 63 total on an IDE disk
40
Summary
• Began to look at disk and file structure of
Linux/Unix systems
• Lots of native Unix tools to examine these
structures
• Will look at these more next time
• Also, many Unix/Linux special tools for
forensics analysis
41
References
• Ext3
– http://en.wikipedia.org/wiki/Ext3
• Ext4
– http://en.wikipedia.org/wiki/Ext3
• Book on File Systems
by Brian Carrier
– http://www.digital-evidence.org/fsfa/index.html
42
Finish
– Next time
• More on Unix tools – dd and others
– Book
• Chapter 8 of text
43