EXT/HFS equivalent ...
 
Notifications
Clear all

EXT/HFS equivalent of MFT for quick analysis and exporting  

  RSS
pakim
(@pakim)
Junior Member

Is there anything equivalent to the MFT for the EXT or HFS filesystem? I mean, anything I can extract form the disk/image and parse in a separate system. Think of it as a way to perform incident response on a system where you have not time/possibility to install or launch fls and mactime.

With NTFS there are times when you have limited time and all you can do is take MFT and USNJRNL, then parse them remotely (with log2timeline/PLASO or other tools). I was wondering if there's anything similar for EXT of HFS. Something I can extract and parse on another system. The alternative is use fls locally and create a bodyfile, then parse it with mactime, or use the find command with appropriate parameters to get all possible timestamps recursively, but this is not always the best choice.

Quote
Posted : 10/02/2015 1:46 pm
mscotgrove
(@mscotgrove)
Senior Member

HFS+ has a Catalog file. Very similar to $MFT except deleted file entries are deleted, not marked as deleted. Records are variable length so parsing a bit more complex.

Ext has directory files - similar in some respects to FAT32, ie separate files for each directory

ReplyQuote
Posted : 10/02/2015 2:55 pm
pakim
(@pakim)
Junior Member

Michael, is there any product/method which can be used to extract (and eventually parse) such data?

Thanks
Paolo

HFS+ has a Catalog file. Very similar to $MFT except deleted file entries are deleted, not marked as deleted. Records are variable length so parsing a bit more complex.

Ext has directory files - similar in some respects to FAT32, ie separate files for each directory

ReplyQuote
Posted : 10/02/2015 3:22 pm
slippery
(@slippery)
New Member

"Is there anything equivalent to the MFT for the EXT or HFS filesystem? I mean, anything I can extract form the disk/image and parse in a separate system. Think of it as a way to perform incident response on a system where you have not time/possibility to install or launch fls and mactime."

In the EXT (2,3,4) File systems there is a structure very similar to an MFT. It is called the "Inode Table". Each file object in an EXT fs has an "Inode". Each "Inode" contains almost all of the metadata for a file. If you were to gather all of them together you would have the equivalent of an MFT.

if you want a quick look at most of the contents of an inode stat a file in Linux.

$> ls -li <— this will list the files in a subdirectory with the associated "inode"

$> stat <— this will list the statistics for a file mostly from the "inode"

if you want to see more of the inode information

first determine which partition is a linux partition

$> fdisk -l <– this will list the current partitions in the drive installed in the
computer.

$> debugfs <– this will open the ext filesystem debugger (great tool BTW)

Once you start debugfs, the prompt will change.

debugfs ls <— this will list the files in the current directory
change directories with cd up of down as needed

debugfs stat (filename) or <— this will show the Inode information based on filename
stat <— this will show the information from the inode the "<>"s are
needed to get this version of the command to work.

I think there is a command to dump the "Inode table". But I have to say "I think", without doing more research, because I can't remember the command. Obviously, a script to loop through all of the "inodes? could be written.

Slippery

ReplyQuote
Posted : 02/03/2015 9:00 pm
pakim
(@pakim)
Junior Member

Thanks, that's a good starting point, but I was thinking about something more quick and IR-oriented - just like copying the MTF out of a disk and then parsing it remotely to check what happened.

Thanks,
Paolo

ReplyQuote
Posted : 03/03/2015 12:26 am
Share: