[olug] September 2011 OLUG Meeting - September 6th, 6:30 PM

Jon Larsen jon at jonlarsen.us
Thu Sep 1 13:17:07 UTC 2011

On 08/23/2011 06:32 AM, Jon Larsen wrote:
> September 2011 OLUG Meeting
> The September 2011 OLUG Meeting will be on Tuesday, September 6th at 
> 6:30 PM at the AIM Institute Training Lab/Careerlink.com Career 
> Center, 1911 Harney Street in the Exchange Building.
> Presentation: Linux EXT3 File Recovery Via Indirect Blocks by Hal 
> Pomeranz
> Hal is a Faculty Fellow of the SANS Institute, and it's
> longest-tenured instructor. He is the track author and primary
> instructor for their Linux/Unix Security certification track
> (GCUX). He is also a GIAC Certified Forensic Analyst (GCFA) and an
> instructor in the SANS Computer Forensics curriculum. Hal frequently
> contributes to the SANS Computer Forensics blog and is a co-author
> with fellow SANS instructor Ed Skoudis and Tim Medin of the weekly
> on-line Command Line Kung Fu column. http://blog.commandlinekungfu.com/
> The Meeting will be streamed live on the OLUG channel on Ustream.tv - 
> http://www.ustream.tv/channel/Omaha-Linux-User-Group
> Archived video can be found here: http://www.ustream.tv/user/olug/videos
> Linux EXT3 File Recovery Via Indirect Blocks
> ============================================
> The classic problem with recovering deleted data in modern Linux EXT
> file systems is that when inode meta-data structures are deallocated,
> the block pointer information in these structures is zeroed.  This
> makes direct reassembly of the original file extremely difficult.
> File-carving techniques (foremost, scalpel, et al) can sometimes be
> used when the target file has well-defined start and end signatures.
> However, many common Linux file formats lack these signatures or have
> no well-defined end of file marker—e.g., compressed or gzip data, tar
> archives, and so on.  Also, these file-carving techniques can run
> afoul of meta-data information—indirect block pointers—embedded in the
> block stream of larger files.  When this meta-data information is
> naively incorporated into the recovered data blocks, the usual result
> is a corrupted and unreadable file.  Traditional file-carving tools
> simply "work around" (skip) indirect block data with varying degrees
> of success.  But simply skipping this indirect block metadata misses
> out on a golden opportunity to easily recover most or all of the
> original file.
> The presentation will begin with an overview of EXT file systems and
> the indirect block pointer mechanism.  The limitations of existing
> file carving tools will be demonstrated.  Then we will use existing
> and newly developed tools to detect indirect blocks to manually
> recover file data from an actual file system.


More information about the OLUG mailing list