Scribd
Upload
66 views6 pages

Linux System Artifacts

1. UNIX operating systems include flavors like Solaris, AIX, HP-UX, FreeBSD, OpenBSD, and NetBSD as well as popular Linux distributions such as Red Hat, Fedora, Ubuntu, and Debian. 2. Linux uses files like /etc/fstab, /var/log/lastlog, /var/log/wtmp, and /var/log/messages to store important system information. It employs the extended file system (Ext2fs, Ext3fs, Ext4fs) which uses inodes to store file metadata and block numbers for file contents. 3. The Linux file system is organized into block groups containing blocks which are typically 4KB in size.

Uploaded by

test2012
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
66 views6 pages

Linux System Artifacts

1. UNIX operating systems include flavors like Solaris, AIX, HP-UX, FreeBSD, OpenBSD, and NetBSD as well as popular Linux distributions such as Red Hat, Fedora, Ubuntu, and Debian. 2. Linux uses files like /etc/fstab, /var/log/lastlog, /var/log/wtmp, and /var/log/messages to store important system information. It employs the extended file system (Ext2fs, Ext3fs, Ext4fs) which uses inodes to store file metadata and block numbers for file contents. 3. The Linux file system is organized into block groups containing blocks which are typically 4KB in size.

Uploaded by

test2012
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

1 UNIX and Linux

!  UNIX flavors
!  System V variants: Sun Solaris, IBM AIX, and HP-UX
!  BSD variants: FreeBSD, OpenBSD, and NetBSD

!  Linux distributions
Linux System Artifacts !  Red Hat, Fedora, Ubuntu, and Debian
!  Most consistent UNIX-like operating systems

COMP 2555: Principles of Computer Forensics


Autumn 2014 !  Linux kernel is regulated under the GNU General
http://www.cs.du.edu/2555
Public License (GPL) agreement

L7: Linux System Artifacts


2 UNIX and Linux
3 Some Linux System Files

!  BSD license is similar to the GPL


System file Purpose
!  But makes no requirements for derivative works /etc/fstab File system table of devices and mount points
/var/log/lastlog Last login time of all users
!  Some useful Linux commands to find information about /var/log/wtmp Logon and logoff history information
your Linux system /var/run/utmp Current users’ logon information

!  uname –a /var/log/messages System message log


/etc/shadow Master password file for the local system
!  ls –l
/etc/group Group memberships for the local system
!  ls –ul filename
/dev/hda Device file for the first IDE hard drive
!  netstat -s /proc/meminfo Memory usage information for both physical memory and
swap space
/proc/modules Lists currently loaded modules
L7: Linux System Artifacts

L7: Linux System Artifacts


4 Extended File System
5 Linux File System Terminology

!  Linux file systems !  A block in Linux can be 1KB, 2KB, 4KB or 8KB
!  Second Extended File System (Ext2fs) (analogous to Windows “cluster”)
!  Ext3fs, journaling version of Ext2fs !  Decided when formatting the drive (4KB is typical)
!  Now Ext4fs !  Block group
!  A set of contiguous blocks
!  Employs inodes (information/index nodes) !  A block group descriptor table specifies where each block
!  Identified by a number group begins
!  Contain information about one file or directory !  Inode
!  Storesdata block numbers !  Fully describes a file/directory
!  Keep internal link count !  Has information on the block numbers where a file’s content
!  Deleted inodes have count value 0 resides

L7: Linux System Artifacts

L7: Linux System Artifacts


!  Directories
!  Specially structured files containing <name,inode> records

6 Block Zero
7 Block Groups

!  Boot block !  Block group zero starts at offset 1024 bytes from the
!  Contains the bootstrap code in the first sector beginning of the partition
!  512 bytes !  When is block 0 part of block group 0?
!  If block size > 1024 bytes

!  Block groups 1 onwards start from other block


numbers

!  Number of blocks in a block group is at most 8 times


the size of a block
!  For 4KB block size, you can have at most 8 x 4096 = 32768
blocks in a block group
L7: Linux System Artifacts

L7: Linux System Artifacts


8 Blocks and Block Groups
9 Super Block

!  Indicates disk geometry, available space, and location of


Block group 0 Block group 1
the first inode, and other file system specific information
!  1 KB of information

!  Stored at offset 1024 bytes of partition (i.e. in block


B
o
o
Block Block Block Block Block group 0)
t 1 2 3 4 5

!  Redundant copies are also maintained


!  First block of block groups 1 and powers of 3, 5, and 7 stores
a duplicate of the super block
Byte 1024

L7: Linux System Artifacts

L7: Linux System Artifacts


Block groups with block size > 1024 bytes

10 Super Block Structure


11 Block Group Descriptor Table

!  Offset 0x18: Logarithm of the block size (KB) : 32-bit !  Following the superblock
!  Offset 0x20: Number of blocks per group : 32-bit !  Duplicates are maintained in block groups that also contain
the superblock duplicate
!  Offset 0x28: Number of inodes per group : 32-bit
!  Information pertaining to all block groups
!  Offset 0x38: 2 byte magic number identifying the file
system !  Superblock has information to compute number of
!  0xEF53 means ext block groups
!  We can use it to determine how many blocks are required to
store this table
!  Other information
!  The table is an array of BGD structures
!  Number of free inodes and blocks across all groups
!  Time when file system was last mounted/accessed/verified BGD 0 BGD 1 … BGD N
L7: Linux System Artifacts

L7: Linux System Artifacts


!  Journaling files
!  http://www.nongnu.org/ext2-doc/ext2.html
12 BGD Structure
13Remaining Ingredients of a Block Group
!  Each BGD is 32 bytes !  Following the superblock and BGD table (if present) are
!  Offset 0x0 to 0x3: !  Block bitmap: a bitmap indicating which blocks are available
!  Block number of the first block of the block bitmap of the in the block group
represented group !  Occupies exactly 1 block
!  What is the maximum no. of blocks in a group?
!  Offset 0x4 to 0x7:
!  Inode table: an array of inodes
!  Block number of the first block of the inode bitmap of the
!  Each inode is 128 bytes
represented group
!  Superblock has information on how many inodes are there in a
!  Offset 0x8 to 0xB: block group
!  Block number of the first block of the inode table of the !  Inode number 2 is for the root directory
represented group !  Inode bitmap: a bitmap indicating which inodes are available
!  And more! in the block group

L7: Linux System Artifacts

L7: Linux System Artifacts


!  Occupies exactly 1 block
!  Data blocks

14 The Big Picture


15 Inode Structure

Superblock <1 KB>


!  Each inode is 128 bytes and tells us about a file/
BGD Table <1 block>
Some Reserved Blocks directory
Block bitmap <1 block>
Inode bitmap <1 block>
Inode table
!  Offset 0x0 to 0x1: Type of file and access rights
Data
Superblock <1 block>
!  Uses special code values
BGD Table <1 block>
Some Reserved Blocks
Block bitmap <1 block>
!  Offset 0x8 to 0xB: File access time
Inode bitmap <1 block>
Inode table !  Offset 0xC to 0xF: File create time
Data
Block bitmap <1 block>
Inode bitmap <1 block>
!  Offset 0x10 to 0x13: File modify time
Inode table
Data !  Offset 0x28 to 0x63: Block pointers
!  Tells us where the contents of this file are stored
Superblock <1 block>
BGD Table <1 block>
Some Reserved Blocks
L7: Linux System Artifacts

L7: Linux System Artifacts


Block bitmap <1 block>
Inode bitmap <1 block>
Inode table
!  The name of the file is not stored in the inode
Data
...
!  Its part of the directory information!
16 Some Code Values at Offset 0
17 Inode Pointers
Code Values (Hex) Description !  Each pointer is a 32-bit (4 byte) address of a block
8000 Regular file
!  A block number
4000 Directory
0800 UID on execution – set
!  Pointers 1 to 12 are direct pointers
0400 GID on execution – set !  Data blocks
0100 Read by owner – allowed !  Pointer 13 is an indirect pointer
0080 Write by owner – allowed !  It takes you to a data block that is full of more direct
0040 Execution/search by owner – allowed pointers
0020 Read by group – allowed
!  Pointer 14 is a double indirect pointer
0010 Write by group – allowed
!  It takes you to a data block that is full of more indirect
0008 Execution/search by group – allowed
pointers
0004 Read by others – allowed
!  Pointer 15 is a triple indirect pointer

L7: Linux System Artifacts

L7: Linux System Artifacts


0002 Write by others – allowed
0001 Execution/search by others – allowed !  It takes you to a data block that is full of more double
indirect pointers

18 Inode Pointers (contd.)


19 Some Other Information
File Data (as big as block size)
1037
!  Bad block inode
1
!  Keeps track of disk’s bad sectors
13
2 !  Inode 1
Info
. 14 . !  Some forensics tools ignore this inode
. . ? !  Commands: badblocks and e2fsck
Pointer 1
Pointer 2 . .
12 .

Pointer 12 1036 . ? !  Continuation inode
Pointer 13 !  File A : part in block group X and part in block group Y
Pointer 14 . !  Inodes in each block group
Pointer 15
? !  Helps retrieve allocated blocks when parts of the file system
get corrupted
L7: Linux System Artifacts

L7: Linux System Artifacts


.
20 Directories
21 References

!  A directory is just a file with specially formatted data !  Ch 8: B. Nelson, A. Phillips and C. Steuart, Guide to
!  Linked list implementation Computer Forensics and Investigations. ISBN:
!  An array of directory entries 978-1-435-49883-9
!  Variable size !  Layout of ext2fs: http://www.nongnu.org/ext2-doc/ext2.html
!  Offset 0 to 3: inode number corresponding to this entry !  Ext3 basic structure is same as ext2
!  Offset 6: length of the name of this entry
!  Offset 8 onwards: name of this entry
!  First entry is always for itself (seen as a . when running
ls)
!  Second entry is always for the parent directory (..)
Other implementations exist

L7: Linux System Artifacts

L7: Linux System Artifacts


! 
!  E.g. B+-tree

You might also like