Prior to Test, I made a EXT2 file named EXT2.dd.
Procedures are as below.
(1) Create a File filled with zeros.
# dd if=/dev/zero of=EXT2.dd bs=1024000 count=10
10+0 records in
10+0 records out
10240000 bytes (10 MB) copied, 0.487653 s, 21.0 MB/s
(2) format EXT2.dd as EXT2 filesystem.
# mkfs -T ext2 EXT2.dd mke2fs 1.41.9 (22-Aug-2009)
EXT2.dd is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
640 inodes, 2500 blocks
125 blocks (5.00%) reserved for the super user
First data block=0
1 block group
32768 blocks per group, 32768 fragments per group
640 inodes per group
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
(3) Identify EXT2.dd file.
# file EXT2.dd
EXT2.dd: Linux rev 1.0 ext2 filesystem data, UUID=8f4aeba5-aa03-4000-be18-3cb597a585f1 (large files)
(4) Mount EXT2 to Local and Copy forensics.jpg for test.
# mount -o loop EXT2.dd ./RAW/
# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 28755580 4839728 22455144 18% /
udev 513268 232 513036 1% /dev
none 513268 136 513132 1% /dev/shm
none 513268 344 512924 1% /var/run
none 513268 0 513268 0% /var/lock
none 513268 0 513268 0% /lib/init/rw
none 28755580 4839728 22455144 18% /var/lib/ureadahead/debugfs
/dev/sda1 233333 23889 197397 11% /boot
/dev/sdb1 206422036 191748 195744668 1% /cases
/dev/loop1 9824 24 9300 1% /test/EXT2/RAW
# cp ~/Desktop/forensics.jpg ./RAW/
# ls ./RAW/
forensics.jpg lost+found
# umount /dev/loop1
- EXT2 Layout
- 6 Contents of Group
Group has 6 contents as follows.
Super Block - Metadata of Group
Group Descriptor Table – Location information of Block Bitmap, Inode Bitmap, Inode Table
Block Bitmap – The information what blocks are allocated
Inode Bitmap – The information what inodes are allocated
Inode Table - The inode that Group use
Data Blocks - The data that Group use
- Super Block
From First Block + 0x400 : Super Block
The Size of Inode : 128 bytes
The Total Count of Inode : 640(0x280)
The Total Size of Inode : 640 * 128 = 81920 bytes
The Size of Block : 2 => 4096 bytes
- Group Descriptor
Second Block : Group Descciptor
Blocks Bitmap Offset : 2 Block
Inodes Bitmap Offset : 3 Block
Inodes Table Offset : 4 Block
- Identify Blocks / Inodes Bitmap and Table offset
Blocks Bitmap Offset : 2 Block * 0x1000 = 0x2000
Inodes Bitmap Offset : 3 Block * 0x1000 = 0x3000
Inodes Table Offset : 4 Block * 0x1000 = 0x4000
Data is placed after end of inode.
Total inodes occupy blocks in accordance with the total count of inode.
The size of a inode is 256 bytes.
The Total Size of Inode : 640 * 128 = 163840 bytes(Super Block has this information)
163840 / 4096(block size) = 40
and then
After first inode table offset + 40 block = Beginning Data offset
- Inode
The six of inode is reserved from 0 inode to 5 inode.
0 - Bad Blocks Inode
1 - Root Inode
2 - ACL Inode
3 - ACL Inode
4 - Boot Loader Inode
5 - Undelete Directory Inode
The size of inodes reserved is 0x600(1536 = 256 * 6)
Inode has many attributes. There is the offset of Directory Entry.
Directory Entry has location information about data.
Root Inode has Direcotry Entries of Data(forensics.jpg).
Root Inode is second inode. so I moved from 0x4000 offset to 0x4100 offset.
(the size of inode is 0x100(256).
I checked Directory Entry offset at 0x4128. this value is 0x2C.
Directory Entry location of Root inode is at 0x2C000.
Blocks Bitmap Offset : 2 Block * 0x1000 = 0x2000
Inodes Bitmap Offset : 3 Block * 0x1000 = 0x3000
Inodes Table Offset : 4 Block * 0x1000 = 0x4000
Data is placed after end of inode.
Total inodes occupy blocks in accordance with the total count of inode.
The size of a inode is 256 bytes.
The Total Size of Inode : 640 * 128 = 163840 bytes(Super Block has this information)
163840 / 4096(block size) = 40
and then
After first inode table offset + 40 block = Beginning Data offset
- Inode
The six of inode is reserved from 0 inode to 5 inode.
0 - Bad Blocks Inode
1 - Root Inode
2 - ACL Inode
3 - ACL Inode
4 - Boot Loader Inode
5 - Undelete Directory Inode
The size of inodes reserved is 0x600(1536 = 256 * 6)
Inode has many attributes. There is the offset of Directory Entry.
Directory Entry has location information about data.
Root Inode has Direcotry Entries of Data(forensics.jpg).
Root Inode is second inode. so I moved from 0x4000 offset to 0x4100 offset.
(the size of inode is 0x100(256).
I checked Directory Entry offset at 0x4128. this value is 0x2C.
Directory Entry location of Root inode is at 0x2C000.
- Directory Entry
The structure of each entry is as follow.
Forensics.jpg's structure is as follow.
its inode number is 0x0C.
The formula of forensics.jpg's Inode
How : (First Inode Offset + file's Inode Number * Inode Entry Size) – Inode Entry Size
Real Data : (0x4000 + 0xC * 0x100) – 0x100 = 0x4B00
=> The number of First Inode count is 0. So 0x100 must be subtracted.
- The inode of forensics.jpg
forensics.jpg is placed from 32 block to 36 block.
I identified JPEG signature at Offset 0x32000.
- Idendify a JPEG(forensics.jpg)
For identification of forensics.jpg, I used dd tool.
if => input
of => output
bs => block size (=block is cluster in unix)
skip => skip as much as block size.
bash-3.2# dd if=EXT2.dd of=forensics.jpg bs=4096 count=5 skip=204800
5+0 records in
5+0 records out
20480 bytes transferred in 0.000217 secs (94394886 bytes/sec)
File : forensics.jpg
URL : http://pchs.peachschools.org/sites/pchs.peachschools.org/files/computer-forensics.jpeg
No comments:
Post a Comment