TSK and ext3 direct...
 
Notifications
Clear all

TSK and ext3 directory entry

3 Posts
2 Users
0 Reactions
567 Views
(@audio)
Estimable Member
Joined: 19 years ago
Posts: 149
Topic starter  

I found two deleted and realloc directories called .linuxhelp/ and rk/. TSK can traverse into .linuxhelp/ but not rk/ so I have some orphans in the timeline that are probably files in rk/. I have the rk.tar.gz that contained files in rk/ so I greped through the strings of the disk image for one of the files in rk.tar.gz and found a directory entry that shows all the files that were in rk/ and their inodes. The problem is that when I recover an inode from the directory entry for a file in rk/, the inode turns out to be an inode for a file that was in .linuxhelp/.

Does anyone know what is going on? I have a bunch of orphans in my timeline and I was hoping to be able to map those orphans directly to the file names using the directory entry.

Update rk.tar.gz contained other archives with other directories and I found the directory entries for those deleted directories and the inodes in THOSE directory entries match the inodes of the orphans. So that helps some, but I'm still wondering why the inodes in the rk/ directory entry are matching the inodes of .linuxhelp/.


   
Quote
(@bgrundy)
Trusted Member
Joined: 19 years ago
Posts: 70
 

In all honesty, I'm a bit confused as to what you are seeing. It might help to post some output.

The problem is that when I recover an inode from the directory entry for a file in rk/, the inode turns out to be an inode for a file that was in .linuxhelp/.

Is there a chance that what you are seeing is that .linuxhelp/ was created and the files from rk/ moved into that directory and then deleted? I'm unsure what exactly you are trying to describe.

If you have not already, you might want to grab a copy of "File System Forensic Analysis" by Brian Carrier. It would help you immensely, I think.


   
ReplyQuote
(@audio)
Estimable Member
Joined: 19 years ago
Posts: 149
Topic starter  

Thanks for the response, bgrundy. Here is the directory entry for rk/ I found with strings and then redirected that block to a file.

>blkcat.exe -f ext3 -i raw root.dd 623247
ȱ . g< .. y² .shf¬² $ sshbin.tgz {² lib.tgz |² setup }² install ~² cl.sh €² firewall² .id „² sheet ‡² secureftp ˆ² ftpaccess ‰² s3nd10gzв vadimII ‹² socklistŒ² bin ² conf¦² ìlib

Here's the hex of that.

2E 69 64 00 84 B2 04 00 10 00 05 01 73 68 65 65 74 00 00 00 87 B2 04 00 14 00 09 01 73 65 63 75 72 65 66 74 70 00 00 00 88 B2 04 00 14 00 09 01 66 74 70 61 63 63 65 73 73 00 00 00 89 B2 04 00 10 00 08 01 73 33 6E 64 31 30 67 7A 8A B2 04 00 10 00 07 01 76 61 64 69 6D 49 49 00 8B B2 04 00 10 00 08 01 73 6F 63 6B 6C 69 73 74 8C B2 04 00 0C 00 03 02 62 69 6E 00 A0 B2 04 00 0C 00 04 02 63 6F 6E 66 A6 B2 04 00 EC 0E 03 02 6C 69 62
I parsed the hex and the inode for "setup" is actually the inode for .linuxhelp/webmin.pl. Also, the inodes for all the files in /root/.linuxhelp/ as well as /usr/X11R6/rk/ appear to be consecutive.

From the rk/ directory entry

Inode 307836
Entry Length 16
Name Length 5
Name setup

Part of the body file

0|/root/.linuxhelp/webmin.pl (deleted)|307836|r/rrwxr-xr-x|0|0|0|1204263805|1204264016|1204264016|0


   
ReplyQuote
Share: