ad-hoc file system analysis - sans.org · introduction but how about printers? this is a ! printer!...
TRANSCRIPT
IntroductionBread and butter
! Extract disk drive
! Connect to write-blocking device
! Create image
! Load image into analysis software
! Analyze!
Image: Hewlett Packard
IntroductionBut how about printers?
This is a
! Printer
! Scanner
! Photocopier
! Fax
! Mail User Agent
! File server
! Web server
... and it is equipped with a disk drive!Image: Hewlett Packard
IntroductionStandard hardware?
! Drive mounted on carrier plate
! Standard ATA disk
! Apply Standard Operating Procedure
! Extract disk drive
! Connect to write-blocking device
! Create image
! Load into analysis software
Image: Hewlett Packard
IntroductionUnrecognized file system - now what?
Analysis Process
1. Physical disk examination
2. Volume examination
3. File system layout
4. File name information
5. File metadata
6. File contents
Physical Disk ExaminationTools
! Visual inspection:
! make, model, serial number
! geometry (CHS, LBA)
! Interface:
! Tableau write-blocking ATA/FWbridge
! Tableau Disk Monitorhttp://www.tableau.com/
! tableau-parmhttp://projects.sentinelchicken.org/tableau-parm
Physical Disk ExaminationDisk information
Vendor (empty)Model HP J6054BRevision AD101ASerial number 169V0029TBus type IDEDevice type Simplified Direct AccessRemovable media? NoSector size 512 bytesHPA in use? YesDCO in use? NoSecurity extensions in use? NoReported capacity 37,1 GB (77.878.016 sectors)HPA capacity 37,3 GB (78.140.160 sectors)DCO capacity 37,3 GB (78.140.160 sectors)
Volume ExaminationTools
! TestDisk by Christophe Grennierhttp://www.cgsecurity.org/wiki/TestDisk
! Available for Microsoft Windows, Linux, *BSD, SunOS, Mac OS X
! Override disk geometry parameters for a really deep scan
! sectors = 1
! heads = 1
Volume ExaminationTestdisk
! Entropy: measure for the information contained in a message
! Assumptions:
! 1 byte per character
! alphabet of 256 characters
! block size >> size of alphabet
Separate File System into Different AreasShannon‘s Entropy
H(X) = −256�
i=1
p(xi) log2 p(xi)
Shannon‘s EntropyTools
! Pythonhttp://www.python.org/
! SQLitehttp://www.sqlite.org/
! Gnuplothttp://www.gnuplot.info/
Shannon‘s EntropyPlot entropy distribution
gnuplot> set style data dots
gnuplot> set datafile separator "|"
gnuplot> plot "< sqlite3 myfile.db3 'SELECT * FROM tbl_entropy WHERE offset BETWEEN 0 AND 1*512*1024*1024;'" notitle
Shannon‘s EntropyPlot of first 512 MiB
Shannon‘s EntropyZoom in on the first sectors
gnuplot> set style data dots
gnuplot> set logscale x 10
gnuplot> set datafile separator "|"
gnuplot> plot "< sqlite3 myfile.db3 'SELECT * FROM tbl_entropy WHERE offset BETWEEN 0 AND 1*512*1024*1024;'" notitle
Shannon‘s EntropyPlot of first 512 MiB
Shannon‘s EntropyAdd some color
gnuplot> set style data impulses
gnuplot> set cbrange [0:8]
gnuplot> set logscale x 10
gnuplot> set datafile separator "|"
gnuplot> plot "< sqlite3 myfile.db3 'SELECT * FROM tbl_entropy WHERE offset BETWEEN 0 AND 1*512*1024*1024;'" notitle palette
Shannon‘s EntropyPlot of first 512 MiB
12
3
4
5
Region 1MBR followed by blank sectors
$ hexdump -C -n 32768 -s 0 4100_spool.00100000000 00 00 00 48 50 75 78 31 2e 30 30 00 00 00 00 00 |...HPux1.00.....|00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*000001c0 00 00 40 00 00 00 3f 00 00 00 11 4f a4 04 00 00 |..@...?....O....|000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|00000200 00 00 00 62 6c 61 6e 6b 00 00 00 00 00 00 00 00 |...blank........|00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00000400 00 00 00 62 6c 61 6e 6b 00 00 00 00 00 00 00 00 |...blank........|00000410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|...00007c00 00 00 00 62 6c 61 6e 6b 00 00 00 00 00 00 00 00 |...blank........|00007c10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00007e00 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 |................|*00008000
Region 2Overview
$ hexdump -C -n 32768 -s 32768 4100_spool.00100008000 00 00 00 02 00 00 00 00 00 04 a4 00 00 12 91 3c |...............<|00008010 00 00 00 00 00 00 00 00 00 04 a3 ff 00 12 8c 91 |................|00008020 00 00 00 00 00 00 00 00 11 11 22 22 00 00 00 1b |..........""....|00008030 ca fe fe ca 00 00 80 00 1f ed fa ce 00 00 04 a7 |................|00008040 00 00 00 10 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 |................|00008050 e5 e5 e5 e5 e5 e5 e5 e5 3f ff ff ff ff ff ff ff |........?.......|00008060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|*00008180 ff 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00008190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00008200 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 |................|*0000fe00 00 00 06 03 00 00 00 00 00 04 a4 00 00 12 91 3c |...............<|0000fe10 00 00 00 01 e5 e5 e5 e5 00 04 9d fc 00 12 84 06 |................|0000fe20 e5 e5 e5 e5 00 00 01 00 11 11 22 22 00 00 00 1b |..........""....|0000fe30 ca fe fe ca 00 00 80 00 1f ed fa ce 00 00 04 a7 |................|0000fe40 00 00 00 10 e5 e5 e5 e5 00 04 a2 03 00 00 00 00 |................|0000fe50 ff ff e5 e5 e5 e5 e5 e5 03 ff ff ff ff ff ff ff |................|0000fe60 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|*0000ff80 ff 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|0000ff90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*00010000
Region 2File system layout
Region 2Estimating the cluster size
hp LaserJet 4100mfp series E2I ' i n « 0 n r
— Permissions l r w x r w x r w x - r - x r - x r - x - r - x r - x r - x drwxrwxrwx - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x - r - x r - x r - x drwxrwxrwx
Owner 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7
File Size 37 171 219 Directory 224 1357 208 932 180 185 185 895 182 899 186 903 898 174 916 896 922 973 973 853 815 857 924 815 815 853 816 853 167 174 360 100 80 118 90 118 287 1070 1069 837 501 1407 135 142 125 129 147 130 133 140 924 408 1676 1785 1699 42 858 Directory
Directorv/File Name DigitalSending.jar device.html hostmanifest
O:\webServer\home\images DoubleMenultemSelectedBkgrnd.gif DoubleMenultemSelectedBkgrnd.jpg DoubleMenultemUnSelectedBkgrnd.gif Level0-25.gif L_evel01.gif Level02.gif Level10.gif Level100.gif Level20.gif Level25.gif Level40-100.gif Level50.gif Level75.gif LevelEmpty.gif LevelOK.gif LevelUnknown.gif MenuBaseBkgrnd.gif MenultemSelectedBkgrnd.gif MenultemUnSelectedBkgrnd.gif Selected_tab_left.gif Selected_tab_middle.gif Selected_tab_right.gif Tab_base1.gif Tab_base2.gif Tab_extender_right.gif Unselected_tabjeft.gif Unselected_tab_middle.gif Unselected tab right.gif binFULL.gif binOK.gif button_bottom.gif button_off_bot.gif button_off_mid.gif button_off_top.gif button_on_bot.gif button_on_top.gif closexml.gif go_button2green.gif go_button2red.gif gray_back.gif grayball.gif hp_invent_logo.gif menus_blank.gif menus_lastnode.gif menus_minus_lastnode.gif menus_minus_node.gif menus_node.gif menus_plus_lastnode.gif menus_plus_node.gif menus_vert_line.gif question.gif sendxml.gif sm_black_bar.gif sm_red_bar.gif sm_green_bar.gif spacer.gif yellow_back.gif
O:\webServer\home\jsfiles
Region 2Estimating the cluster size
Foremost started at Mon Jan 11 22:53:22 2010
Invocation: foremost -i Data/4100_spool.001 -t gif -q -w -o carver/ -v Output directory: carverConfiguration file: /usr/local/etcProcessing: Data/4100_spool.001|------------------------------------------------------------------File: Data/4100_spool.001Start: Mon Jan 11 22:53:22 2010Length: Unknown Num! Name (bs=512)! Size! File Offset! Comment
0:! 81791.gif ! 224 B ! 41876992 ! (140 x 40)1:! 81919.gif ! 208 B ! 41942528 ! (140 x 40)2:! 81983.gif ! 787 B ! 41975296 ! (59 x 14)3:! 82047.gif ! 180 B ! 42008064 ! (64 x 14)4:! 82111.gif ! 185 B ! 42040832 ! (64 x 14)5:! 82175.gif ! 185 B ! 42073600 ! (64 x 14)6:! 82239.gif ! 787 B ! 42106368 ! (59 x 14)7:! 82303.gif ! 182 B ! 42139136 ! (64 x 14)8:! 82367.gif ! 787 B ! 42171904 ! (59 x 14)9:! 82431.gif ! 186 B ! 42204672 ! (64 x 14)10:! 82495.gif ! 787 B ! 42237440 ! (59 x 14)...
Region 2Summary
! total / free number of inodes(see also region 4)
! total / free number of blocks
! block size
! pointer to the first unused / re-usable inode
! time stamp (time of file system creation or last fsck?)
! ...
Region 3Overview
Region 3Find repeating data structures
! Correlation between two byte-streams
count matching bytes
normalize: divide by length of stream
1.0 = perfect match
! Autocorrelate: correlate a byte-stream with itself, at different „lags“
must be 1.0 at lag 0
Region 3Autocorrelation plot
Region 3Summary
! size of inode is 128 bytes (0x80)
! compare with ext2 file system:http://www.nongnu.org/ext2-doc/ext2.htm
! see Brian Carrier: „File System Forensic Analysis“
! inode contains:! file size! list of allocated clusters! time stamps (MAC)! flags! owner ID and access mask
Region 5Overview
$ hexdump -C -n 512 -s 39026176 4100_spool.00102537e00 00 00 00 01 00 0c 00 01 2e 00 00 00 00 00 00 01 |................|02537e10 00 0c 00 02 2e 2e 00 00 00 00 00 02 00 14 00 09 |................|02537e20 50 65 72 6d 53 74 6f 72 65 00 00 00 00 00 00 2c |PermStore......,|02537e30 00 14 00 0a 50 6f 73 74 53 63 72 69 70 74 00 00 |....PostScript..|02537e40 00 00 00 2d 00 0c 00 03 50 4a 4c 00 00 00 00 2e |...-....PJL.....|02537e50 00 14 00 0a 73 61 76 65 44 65 76 69 63 65 00 e5 |....saveDevice..|02537e60 00 00 00 87 00 14 00 08 73 6f 6c 75 74 69 6f 6e |........solution|02537e70 00 00 e5 e5 00 00 00 33 00 14 00 09 77 65 62 53 |.......3....webS|02537e80 65 72 76 65 72 00 00 00 00 00 00 8d 00 10 00 06 |erver...........|02537e90 63 70 62 4c 6f 67 00 e5 00 00 05 ae 01 68 00 03 |cpbLog.......h..|02537ea0 43 56 53 00 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 |CVS.............|02537eb0 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 |................|
Region 5File name information
$ hexdump -C -n 512 -s 41876992 4100_spool.001027efe00 47 49 46 38 39 61 8c 00 28 00 a2 ff 00 ff ff ff |GIF89a..(.......|027efe10 63 63 63 7b 7b 7b 84 84 84 b5 b5 b5 00 00 00 00 |ccc{{{..........|027efe20 00 00 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 |.....!.......,..|027efe30 00 00 8c 00 28 00 40 03 a5 08 ba dc fe 30 ca 49 |....([email protected]|027efe40 ab bd 78 8e cc bb ff 20 28 84 64 69 9e d6 86 ae |..x.... (.di....|027efe50 6c eb a9 6e 2c cf 0b 4c df 78 69 e7 7c 7f ed be |l..n,..L.xi.|...|027efe60 a0 b0 31 1a 1a 8f c5 a3 d2 97 5c 3a 6f c0 a7 94 |..1.......\:o...|027efe70 d5 9c 5a 51 d1 ab f6 93 dd 7a 31 d5 af f8 37 2e |..ZQ.....z1...7.|027efe80 63 ba e6 f4 22 ac 6e 2b 04 84 b8 7c 4e af db ef |c...".n+...|N...|027efe90 f8 bc 7e cf ef fb f7 0f 03 01 83 84 85 86 87 88 |..~.............|027efea0 89 8a 8b 8c 8d 8e 8f 90 8d 81 6e 94 0c 6c 95 66 |..........n..l.f|027efeb0 97 98 63 68 9b 5e 9d 9e 5a 9a a1 5b a0 a4 53 a6 |..ch.^..Z..[..S.|027efec0 a7 4f a3 aa a8 ad 65 a9 af 48 b2 62 b1 b4 42 b6 |.O....e..H.b..B.|027efed0 b7 4c ba a5 bc 5a b9 be 38 c0 c1 c4 bc 09 00 3b |.L...Z..8......;|027efee0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|*027f0000
Region 5Regular file
Region 5Summary
! distinguish between file name information (directories) and regular files
! compare flags in inodes of both classes(then go back to region 3)
Prototyping a ParserTools
! Construct! Python module! http://construct.wikispaces.com/
! Hachoir! Python module! http://bitbucket.org/haypo/hachoir/
! 010 Editor by Sweetscape Software! available for Microsoft Windows and Apple OS X! http://www.sweetscape.com/010editor/
typedef struct { uint32 is_file : 1; uint32 is_dir : 1; uint32 unknown1 : 1; uint32 unknown2 : 4 <format=binary>; uint32 access : 9 <format=binary>; uint32 unknown3 : 16 <format=binary>; uint32 unknown4; int16 owner; uint16 padding; uint32 filesize; time_t atime; time_t ctime; time_t mtime; uint32 blocks; BLOCKADR direct[10] <format=hex>; BLOCKADR indirect <format=hex>; BLOCKADR indir2 <format=hex>; BLOCKADR indir3 <format=hex>; byte unknown6[57];} INODE <optimize=false, read=ReadInode>;
Prototyping a Parser010 Editor
Prototyping a Parser010 Editor
Questions?
