The September 2011 OLUG Meeting will be on Tuesday, September 6th at 6:30 PM at the AIM Institute Training Lab/Careerlink.com Career Center, 1911 Harney Street in the Exchange Building.
Presentation: Linux EXT3 File Recovery Via Indirect Blocks by Hal Pomeranz
Hal is a Faculty Fellow of the SANS Institute, and it’s longest-tenured instructor. He is the track author and primary instructor for their Linux/Unix Security certification track (GCUX). He is also a GIAC Certified Forensic Analyst (GCFA) and an instructor in the SANS Computer Forensics curriculum. Hal frequently contributes to the SANS Computer Forensics blog and is a co-author with fellow SANS instructor Ed Skoudis and Tim Medin of the weekly on-line Command Line Kung Fu column.
The Meeting will be streamed live on the OLUG channel on Ustream.tv – http://www.ustream.tv/channel/Omaha-Linux-User-Group
Archived video can be found here: http://www.ustream.tv/user/olug/videos
Linux EXT3 File Recovery Via Indirect Blocks
============================================
The classic problem with recovering deleted data in modern Linux EXT
file systems is that when inode meta-data structures are deallocated,
the block pointer information in these structures is zeroed. This
makes direct reassembly of the original file extremely difficult.
File-carving techniques (foremost, scalpel, et al) can sometimes be
used when the target file has well-defined start and end signatures.
However, many common Linux file formats lack these signatures or have
no well-defined end of file marker—e.g., compressed or gzip data, tar
archives, and so on. Also, these file-carving techniques can run
afoul of meta-data information—indirect block pointers—embedded in the
block stream of larger files. When this meta-data information is
naively incorporated into the recovered data blocks, the usual result
is a corrupted and unreadable file. Traditional file-carving tools
simply “work around” (skip) indirect block data with varying degrees
of success. But simply skipping this indirect block metadata misses
out on a golden opportunity to easily recover most or all of the
original file.
The presentation will begin with an overview of EXT file systems and
the indirect block pointer mechanism. The limitations of existing
file carving tools will be demonstrated. Then we will use existing
and newly developed tools to detect indirect blocks to manually
recover file data from an actual file system.
| The Least Successful Collector Betsy Baker played a central role in the history of collecting. She was employed as a servant in the house of John Warburton (1682-1759) who had amassed a fine collection of 58 first edition plays, including most of the works of Shakespeare. One day Warburton returned home to find 55 of them charred beyond legibility. Betsy had either burned them or used them as pie bottoms. The remaining three folios are now in the British Museum. The only comparable literary figure was the maid who in 1835 burned the manuscript of the first volume of Thomas Carlyle's "The Hisory of the French Revolution", thinking it was wastepaper. -- Stephen Pile, "The Book of Heroic Failures" You are using: ipv4.. Meh. - 216.73.216.213 ln04.olug.org |
Omaha Linux User Group
Leave a Comment
You must be logged in to post a comment.