Friday, February 22, 2013

File System Geography - EXT2

- Create a EXT2 file.
Prior to Test, I made a EXT2 file named EXT2.dd.
Procedures are as below.

(1) Create a File filled with zeros.
dd if=/dev/zero of=EXT2.dd bs=1024000 count=10 

10+0 records in
10+0 records out
10240000 bytes (10 MB) copied, 0.487653 s, 21.0 MB/s

(2) format EXT2.dd as EXT2 filesystem.
mkfs -T ext2 EXT2.dd mke2fs 1.41.9 (22-Aug-2009)

EXT2.dd is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
640 inodes, 2500 blocks
125 blocks (5.00%) reserved for the super user
First data block=0
1 block group
32768 blocks per group, 32768 fragments per group
640 inodes per group

Writing inode tables: done                            

Writing superblocks and filesystem accounting information: done

(3) Identify EXT2.dd file.


# file EXT2.dd 
EXT2.dd: Linux rev 1.0 ext2 filesystem data, UUID=8f4aeba5-aa03-4000-be18-3cb597a585f1 (large files)


(4) Mount EXT2 to Local and Copy forensics.jpg for test.

# mount -o loop EXT2.dd ./RAW/

# df

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda3             28755580   4839728  22455144  18% /
udev                    513268       232    513036   1% /dev
none                    513268       136    513132   1% /dev/shm
none                    513268       344    512924   1% /var/run
none                    513268         0    513268   0% /var/lock
none                    513268         0    513268   0% /lib/init/rw
none                  28755580   4839728  22455144  18% /var/lib/ureadahead/debugfs
/dev/sda1               233333     23889    197397  11% /boot
/dev/sdb1            206422036    191748 195744668   1% /cases
/dev/loop1                9824        24      9300   1% /test/EXT2/RAW

# cp ~/Desktop/forensics.jpg ./RAW/

# ls ./RAW/
forensics.jpg  lost+found

# umount /dev/loop1





- EXT2 Layout







- 6 Contents of Group
























Group has 6 contents as follows.

Super Block - Metadata of Group
Group Descriptor Table – Location information of Block Bitmap, Inode Bitmap, Inode Table
Block Bitmap – The information what blocks are allocated
Inode Bitmap – The information what inodes are allocated
Inode Table - The inode that Group use
Data Blocks - The data that Group use




- Super Block

From First Block + 0x400 : Super Block 

The Size of Inode : 128 bytes
The Total Count of Inode : 640(0x280)
The Total Size of Inode : 640 * 128 = 81920 bytes
The Size of Block : 2 => 4096 bytes





- Group Descriptor

Second Block : Group Descciptor

Blocks Bitmap Offset : 2 Block
Inodes Bitmap Offset : 3 Block
Inodes Table Offset : 4 Block


















- Identify Blocks / Inodes Bitmap and Table offset

Blocks Bitmap Offset : 2 Block * 0x1000 = 0x2000
Inodes Bitmap Offset : 3 Block * 0x1000 = 0x3000
Inodes Table Offset : 4 Block * 0x1000 = 0x4000

Data is placed after end of inode.
Total inodes occupy blocks in accordance with the total count of inode.

The size of a inode is 256 bytes.
The Total Size of Inode : 640 * 128 = 163840 bytes(Super Block has this information)

163840 / 4096(block size) = 40

and then

After first inode table offset + 40 block  = Beginning Data offset




























- Inode


The six of inode is reserved from 0 inode to 5 inode.

0 - Bad Blocks Inode
1 - Root Inode
2 - ACL Inode
3 - ACL Inode
4 - Boot Loader Inode
5 - Undelete Directory Inode


The size of inodes reserved is 0x600(1536 = 256 * 6)

Inode has many attributes. There is the offset of Directory Entry.
Directory Entry has location information about data.




















Root Inode has Direcotry Entries of Data(forensics.jpg).

Root Inode is second inode. so I moved from 0x4000 offset to 0x4100 offset.
(the size of inode is 0x100(256).

I checked Directory Entry offset at 0x4128. this value is 0x2C.

Directory Entry location of Root inode is at 0x2C000.



































- Directory Entry

The structure of each entry is as follow.










Forensics.jpg's structure is as follow.
its inode number is 0x0C.











The formula of forensics.jpg's Inode 

How : (First Inode Offset + file's Inode Number * Inode Entry Size) – Inode Entry Size
Real Data : (0x4000 + 0xC * 0x100) – 0x100 = 0x4B00
=> The number of First Inode count  is 0. So 0x100 must be subtracted.




- The inode of forensics.jpg

forensics.jpg is placed from 32 block to 36 block.

















I identified JPEG signature at Offset 0x32000.




















- Idendify a JPEG(forensics.jpg)

For identification of forensics.jpg, I used dd tool.
if => input
of => output
bs => block size (=block is cluster in unix)
skip => skip as much as block size.

bash-3.2# dd if=EXT2.dd of=forensics.jpg bs=4096 count=5 skip=204800
5+0 records in
5+0 records out
20480 bytes transferred in 0.000217 secs (94394886 bytes/sec)

File : forensics.jpg
URL : http://pchs.peachschools.org/sites/pchs.peachschools.org/files/computer-forensics.jpeg





No comments:

Post a Comment