cfr105 Lnguyen Assignment12

Running head: EXT FILE SYSTEM 1
Assignment 11: Examine the EXT File System
Livia Nguyen
CFR105
Professor: Frank Griffits
July 28, 2017

EXT FILE SYSTEM 2
Tools: AccessData FTK Imager 3.4.3 x64, Programming Calculator.
The first thing that I do after download and extract the dd image is to mount the image as a
Physical & logical drive using FTK imager.
Click on add new evidence and select physical drive and find the correct physical image to added
to the evidence tree for further examination.

EXT FILE SYSTEM 3
Number of partitions
Open the drive and analyses to determine the number of partitions on this disk. There are three
partitions with the same size on this drive and an unpartitioned space.
File System types
All three of the partitions is extended file system (ext), which developed for the use of Linux
kernel.
EXT FILE SYSTEM 4
Partition 1 Ext2 Second Extended filesystem
Partition 2 Ext3 Third extended file system
Partition 3 Ext4 Fourth extended file system
Superblock for each partition
Click on the partition in the Evidence Tree tab for further analysis on the Superblock. FTK
imager was an able to determine the superblock and separated so that the user can just click on it
and not have to find it.
The superblock can also be locating in file offset 1024 with the header C0 3E 01 00, which
allow me to determine when the superblock started.
To calculate for the superblock information on each partition, the byte must be converted to
decimal for the actual value. Since this is little endian the data byte must be read from right to
left when converting.
Use the programming calculator to calculate the byte hex value to a decimal value by converting
it from metadata hex value to decimal value.
I use the ExtX superblock data structure to find all the information for each of the partition, and
the data structure was taken from the File System Forensic Analysis text book written by expert
Brian Carrier.
The file system ID of each partition is a Linux as the value are 00 00 00 00, indicate that it is a
Linux system.
Byte Range Description

EXT FILE SYSTEM 5
0-3 Number of Inodes
24-27 Block Size
72-75 Creator OS
84-87 First Non-reserved Inode
104-119 File System ID
120-135 Volume Name
Partition 1
Number of inodes
C0 3E 01 00 00 01 3E C0 = 81,600 inodes
Block size
00 00 00 00 0
Creator OS
EXT FILE SYSTEM 6
00 00 00 00 Linux
First non-reserved inode
0B 00 00 00 11
File System ID
F8 33 CF 75 92 C9 4B 43 A3 6A D3 FB A4 4D 71 8A
Volume Name
65 78 74 32 00 00 00 00 00 00 00 00 00 00 00 00 ext2
EXT FILE SYSTEM 7
Partition 2
Number of inodes
C0 3E 01 00 81,600 Inodes
Block size
00 00 00 00 0
Creator OS
00 00 00 00 Linux
0B 00 00 00 11
EXT FILE SYSTEM 8
File System ID
82 7F F2 18 B9 54 41 DF 89 AA 4E C8 5A 1D 9B C9
Volume Name
65 78 74 33 00 00 00 00 00 00 00 00 00 00 00 00 ext3
Partition 3
Number of inodes
C0 3E 01 00 81,600 inodes
EXT FILE SYSTEM 9
Block size
00 00 00 00 0
Creator OS
00 00 00 00 Linux
0B 00 00 00 11
File System ID
69 E5 B8 F3 0F 60 4 0E A0 F3 B3 AB C6 F2 70 20
Volume Name
65 78 74 34 00 00 00 00 00 00 00 00 00 00 00 00 ext4
EXT FILE SYSTEM 10
Group Descriptor Tables for each partition
Partition 1
The data structure for the group descriptor table entries was found in the File System Forensic
Analysis text book written by expert Brian Carrier.
Byte range Description
0-3 Block bitmap starting address
4-7 Inode bitmap starting address
8-11 Inode table starting address
Programming calculator are used to convert hex value to decimal values. All hex value will be
insert from right to left when enter it in the programming calculator because this is a little endian.
Block bitmap starting address
04 01 00 00 260
Inode bitmap starting address

EXT FILE SYSTEM 11
05 01 00 00 261
Inode table starting address
06 01 00 00 262
Partition 2
04 01 00 00 260
EXT FILE SYSTEM 12
05 01 00 00 261
06 01 00 00 262
EXT FILE SYSTEM 13
Partition 3
04 01 00 00 260
14 01 00 00 276
24 01 00 00 292
EXT FILE SYSTEM 14
Directory Entries for each partition
The data structure for the second version of the directory entry was found in the File System
Forensic Analysis text book written by expert Brian Carrier.
Byte Range Description
0-3 Inode Value
4-5 Length of Entry
6-6 Name Length
7-7 File Type
8+ Name in ASCII
Click on the root directory for each partition, and uses the data structure for the second version of
the directory entry to collect information.
The last entry length is larger compare to any other entry and the rest is all 0 indicating that there
is no more entry in the root directory.
To calculate for the inode value of each entry, locate and convert the byte 0-3 of the entry.
The length of the entry is decimal value of byte 4-5 in little endian.
EXT FILE SYSTEM 15
The name length is byte number 6 in decimal.
Byte 7 in the entry is the file type (01- regular file, 02- directory.)
The name in ASCII is varied, but it started at byte 8 and used the name length to know when the
name ended.
Partition 1
Entry #1
inode value
02 00 00 00 - 2
length of entry
0C 00 12
EXT FILE SYSTEM 16
name length
01 - 1
file type
02 - directory
name in ASCII
2E .
Entry #2
inode value
02 00 00 00 2
length of entry
0C 00 12
EXT FILE SYSTEM 17
name length
02 - 2
file type
02 - directory
name in ASCII
2E 2E ..
Entry #3
inode value
0B 00 00 00 11
length of entry
14 00 20
EXT FILE SYSTEM 18
name length
0A 10
file type
02 - directory
name in ASCII
6C 6F 73 74 2B 66 6F 75 6E 64 lost+found
Entry #4
inode value
0C 00 00 00 12
EXT FILE SYSTEM 19
length of entry
2C 00 44
name length
09 9
file type
01 regular file
name in ASCII
41 6C 67 6F 6C 2E 74 78 74 Algol.txt
Entry #6
inode value
EXT FILE SYSTEM 20
E0 00 00 00 14
length of entry
14 00 20
name length
0B 11
file type
01 regular file
EXT FILE SYSTEM 21
name in ASCII
43 61 6E 6F 70 75 73 2E 74 78 74 Canopus.txt
Entry #7
inode value
0F 00 00 00 15
length of entry
28 00 40
name length
0C 12
EXT FILE SYSTEM 22
file type
01 regular file
name in ASCII
44 65 6E 65 62 6F 6C 61 2E 54 58 54 Denebola.TXT
Entry #8
inode value
11 00 00 00 17
length of entry
18 00 24
EXT FILE SYSTEM 23
name length
10 16
file type
01 regular file
name in ASCII
46 75 6D 41 6C 53 61 6D 61 6B 61 68 2E 74 78 74 FumAlSamakah.txt
Entry #9
inode value
12 00 00 00 18
EXT FILE SYSTEM 24
length of entry
54 03 852
name length
0B 11
file type
01 regular file
EXT FILE SYSTEM 25
name in ASCII
47 69 61 75 7A 61 72 2E 74 78 74 Giauzar.txt
Partition 2
Entry #1
inode value
02 00 00 00 2
length of entry
0C 00 12
name length
EXT FILE SYSTEM 26
01 1
file type
02 Directory
name in ASCII
2E .
Entry #2
inode value
02 00 00 00 2
length of entry
0C 00 12
EXT FILE SYSTEM 27
name length
02 2
file type
02 Directory
name in ASCII
2E 2E ..
Entry #3
inode value
0B 00 00 00 11
length of entry
EXT FILE SYSTEM 28
14 00 20
name length
0A 10
file type
02 Directory
name in ASCII
6C 6F 73 74 2B 66 6F 75 6E 64 lost+found
Entry #4
inode value
EXT FILE SYSTEM 29
0C 00 00 00 12
length of entry
28 00 40
name length
0C 12
file type
01 regular file
name in ASCII
EXT FILE SYSTEM 30
41 75 63 74 75 72 75 73 2E 74 78 74 Arcturus.txt
Entry #5
inode value
0E 00 00 00 14
length of entry
14 00 20
name length
0A 10
EXT FILE SYSTEM 31
file type
01 regular file
name in ASCII
43 61 73 75 6F 72 2E 74 78 74 - Castor.txt
Entry #6
inode value
0F 00 00 00 15
length of entry
24 00 36
EXT FILE SYSTEM 32
name length
08 8
file type
01 regular file
name in ASCII
44 75 68 72 2E 54 58 54 Duhr.TXT
Entry #7
inode value
11 00 00 00 17
EXT FILE SYSTEM 33
length of entry
14 00 20
name length
09 9
file type
01 regular file
name in ASCII
46 75 72 75 64 2E 74 78 74 Furud.txt
Entry #8
inode value
12 00 00 00 18
EXT FILE SYSTEM 34
length of entry
60 03 864
name length
0B 11
file type
01 regular file
EXT FILE SYSTEM 35
name in ASCII
47 72 75 6D 69 75 6D 2E 74 78 74 Grumium.txt
Partition 3
Entry #1
inode value
02 00 00 00 2
length of entry
0C 00 12
name length
01 1
EXT FILE SYSTEM 36
file type
02 Directory
name in ASCII
2E .
Entry #2
inode value
02 00 00 00 12
length of entry
0C 00 12
name length
EXT FILE SYSTEM 37
02 2
file type
02 Directory
name in ASCII
2E 2E ..
Entry #3
inode value
0B 00 00 00 11
length of entry
14 00 20
EXT FILE SYSTEM 38
name length
0A 10
file type
02 Directory
name in ASCII
6C 6F 73 75 2B 66 6F 75 6E 64 lost+found
Entry #4
inode value
0C 00 00 00 12
EXT FILE SYSTEM 39
length of entry
28 00 40
name length
0B 11
file type
01 regular file
name in ASCII
41 6E 75 61 72 65 73 2E 74 78 74 Antares.txt
Entry #5
EXT FILE SYSTEM 40
inode value
E0 00 00 00 14
length of entry
14 00 20
name length
09 9
file type
01 regular file
name in ASCII
43 68 6F 72 74 2E 74 78 74 Chort.txt
Entry #6
EXT FILE SYSTEM 41
inode value
0F 00 00 00 15
length of entry
28 00 40
name length
0A 10
file type
01 regular file
EXT FILE SYSTEM 42
name in ASCII
44 69 61 64 65 6D 2E 54 58 54 Diadem.TXT
Entry #7
inode value
11 00 00 00 17
length of entry
14 00 20
name length
0A 10
EXT FILE SYSTEM 43
file type
01 regular file
name in ASCII
66 6F 72 6E 61 78 2E 74 78 74 fornax.txt
Entry #8
inode value
12 00 00 00 18
length of entry
5C 03 860
EXT FILE SYSTEM 44
name length
0B 11
file type
01 regular file
name in ASCII
47 6F 6D 65 69 73 61 2E 74 78 74 Gomeisa.txt
EXT FILE SYSTEM 45
Reference
Carrier, B. (2011). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.
Fairbanks, K. (2012). An Analysis of Ext4 for Digital Forensic. Retrieved July 28, 2017, from
https://www.dfrws.org/sites/default/files/session-files/paper-
an_analysis_of_ext4_for_digital_forensics.pdf

cfr105 Lnguyen Assignment12

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

cfr105 Lnguyen Assignment12

Încărcat de

Drepturi de autor:

Formate disponibile

Running head: EXT FILE SYSTEM 1

Assignment 11: Examine the EXT File System

Professor: Frank Griffits

July 28, 2017

Tools: AccessData FTK Imager 3.4.3 x64, Programming Calculator.

Physical & logical drive using FTK imager.

to the evidence tree for further examination.

File System types

Partition 1 Ext2 Second Extended filesystem

Partition 2 Ext3 Third extended file system

Partition 3 Ext4 Fourth extended file system

Superblock for each partition

and not have to find it.

allow me to determine when the superblock started.

left when converting.

it from metadata hex value to decimal value.

Byte Range Description

0-3 Number of Inodes

24-27 Block Size

84-87 First Non-reserved Inode

104-119 File System ID

120-135 Volume Name

First non-reserved inode

First non-reserved inode

First non-reserved inode

Group Descriptor Tables for each partition

Analysis text book written by expert Brian Carrier.

Byte range Description

0-3 Block bitmap starting address

4-7 Inode bitmap starting address

8-11 Inode table starting address

Block bitmap starting address

Inode bitmap starting address

Inode table starting address

Block bitmap starting address

Inode bitmap starting address

Inode table starting address

Block bitmap starting address

Inode bitmap starting address

Inode table starting address

Directory Entries for each partition

Forensic Analysis text book written by expert Brian Carrier.

Byte Range Description

0-3 Inode Value

4-5 Length of Entry

6-6 Name Length

7-7 File Type

the directory entry to collect information.

is no more entry in the root directory.

The name length is byte number 6 in decimal.

S-ar putea să vă placă și