Determining the Subject Disk Filesystem Structure
Going back to our_able2_caseddimages, we now have the original image along with the partition images that we carved out.
able2.dd (original image)able2.part1.dd(1stPartition)able2.part2.dd(2ndPartition)
able2.part4.dd(4thPartition)
The next trick is to mount thepartitions in such a way that we reconstruct the original filesystem.
One of the benefits of Linux/Unix systems is the ability to separate the filesystem across partitions. This can be done for any number of reasons, allowing for flexibility where there are concerns about disk space or security, etc.
For example, a System Administrator may decide to keep the directory/var/log_on its own separate partition. This might be done in an attempt to prevent rampant log files from filling the root (“/” not “/root”) partition and bringing the system down. It is common to see/boot_in its own partition as well. This allows the kernelimage to be placed near “the front” (in terms of cylinders) of a hard drive, an issue in older versions of the Linux boot loader LILO. There are also a variety of security implications addressed by this setup.
So when you have a disk with multiple partitions, how do you find out the structure of the file system? Earlier in this paper we discussed the_/etc/fstab_file. This file maintains the mounting information for each file system, including the physical partition; mount point, file system type, andoptions. Once we find this file, reconstructing the system is easy. With experience, you will start to get a feel for how partitions are setup, and where to look for the_fstab._To make things simple here, just mount each partition (loopback, read only)and have a look around.
One thing we might like to know is what sort of file system is on each partition before we try and mount them. We can use thefilecommand to do this6. Remember from our earlier exercise that thefilecommand determines the type of file by looking for “header” information.
file able2.part*_able2.part1.dd: Linux rev 1.0 ext2 filesystem data… able2.part2.dd: Linux rev 1.0 ext2 filesystem data… able2.part3.dd: Linux/i386 swap file (new style)… able2.part4.dd: Linux rev 1.0 ext2_filesystem data…
Previously, we were able to determine that the partitions were “Linux” partitions from the output offdiskandsfdisk.Nowfileinforms us that the file system type isext27. We can use this information to mount the partitions.
mount -t ext2 -o ro,loop able2.part1.dd /mnt/analysis/
Do this for each partition (either unmounting between partitions, or mounting to a different mountpoint) and you will find the_/etc_directory containing the_fstab_file in_able2.part2.dd_with the following entries:
| /dev/hda2 /ext2 | defaults | 1 1 |
|---|---|---|
| /dev/hda1 /boot ext2 | defaults | 1 2 |
| /dev/hda4 /usr ext2 | defaults | 1 2 |
| /dev/hda3 swapSwap | defaults | 0 0 |
So now we see that the logical file system was constructed from three separate partitions (note that_/dev/hda_here refers to the disk when it is mounted in the original system):
| “/” (root) | mounted from /dev/hda2 (data on hda2) | ||
|---|---|---|---|
| _ | bin/ | (data on hda2) | |
| _ | boot/ | mounted from /dev/hda1 (data on hda1) | |
| _ | dev/ | (data on hda2) | |
| _ | etc/ | (data on hda2) | |
| _ | home/ | (data on hda2) | |
| _ | lib/ | (data on hda2) | |
| _ | opt/ | (data on hda2) | |
| _ | proc/ | (data on hda2) | |
| _ | usr/ | mounted from/dev/hda4 (data on hda4) | |
| _ | root/ | (data on hda2) | |
| _ | sbin/ | (data on hda2) | |
| _tmp/ | (data on hda2) | ||
| _var/ | (data on hda2) |
Now we can create the original file system at our analysis mount point by creating separate directories for each partition. The mount point_/mnt/analysis_already exists. We create the other two with:
mkdir /mnt/analysis/boot
mkdir /mnt/analysis/usr
Now we mount each partition image at its respective mountpoint:
mount -t ext2 -o ro,loop able2.part2.dd /mnt/analysis/ mount -t ext2 -o ro,loop able2.part1.dd /mnt/analysis/boot mount -t ext2 -o ro,loop able2.part4.dd /mnt/analysis/usr
We now have the recreated original file system under/mnt/analysis:
| “/” (root) | mounted on /mnt/analysis | |
|---|---|---|
| _ | bin/ | |
| _ | boot/ | mounted on /mnt/analysis/boot |
| _ | dev/ | |
| _ | etc/ | |
| _ | home/ | |
| _ | lib/ | |
| _ | opt/ | |
| _ | proc/ | |
| _ | usr/ | mounted on /mnt/analysis/usr |
| _ | root/ | |
| _ | sbin/ | |
| _var/ |
At this point we can run all of our searches and commands just as we did for the previous floppy disk exercise on a complete file system “rooted” at/mnt/analysis.
As always, you should know what you are doing when you mount a complete file system on your forensic workstation. Be aware of options to themountcommand that you might want to use (checkman mountfor options like “nodev”and “nosui__d”, “noatime” etc.). Take note of where links point to from the subject file system. Note that we have mounted the partitions “read only” (ro). Remember to unmount each partition when you are finished exploring.
6. Keep in mind that thefilecommand relies on the contents of themagicfile to determine a file type. If this command does not work for you in the following example, then it is most likely because the magic file on your system does not inlcude headers for filesytem types. ↩
7. You can also use theautofilesystem type under the mount command, but I prefer to be explicit. Checkman mountfor more information. ↩