Identifies file by using a configuration file called the magic file across systems.
/usr/share/directory/magic
Usage:
file <filename>
0:25:00
/usr/share/backgrounds/images/earthfromspace.jpg /usr/share/backgrounds/images/stonebird.jpg
Each has the same starting byte string.
Thought process number 1.
Look for header then look for footer. All in between is the image.
Side note: Vulnerability in Microsoft jpeg rendering. Heap overflow in comment string. Length always did -2 to find the comment field, so a value of less than 2 would give a really large number for a signed integer.
displays 4 or more ascii characters List byte offset of string on the image:
strings --radix=d
byteoffset–>block number–>inodenumber–>metadata–>Filename
byteoffset/block size=block number
file size and name stored in metadata
datalayer comprised of data blocks
fsstat dev_sda6.img | less
dstat gives Allocated or Unallocated for a data unit
dstat dev_sda6.img 368055
dcat displays contents of a data unit
dcat dev_sda6.img 368055 |less
for hex display:
dcat -h dev_sda6.img 368055 |less
lists contents of unallocatted data (by default)
extract all unallocated data:
dls dev_sda6.img > dev_sda6.dls
extract between 8000 and 9000:
dls -el dev_sda6 8000-9000
since the blocks are now not in the same sequence because the allocated blocks are removed, use dcalc to cross to the origial block unumber
dcalc dev_sda6.img -u 233429
gives:
368055
takes every single data block and runs file against it.
carves out files based and sorts them on file header
mkdir /images/unixforensics/foremost_gzip (need to create a directory where the output will go) foremost -o /images/unixforensics/foremost_gzip -c /usr/local/src/foremost.conf dev_sda6.dls
may need to remove the 13 data block. In the example, open in khexedit and got to blocksize(4096)*12 position. Delete blocksize(4096) amount of data.
in audit.txt, the gzip file is listed at byte offset 98304
98304/4096=24 (block number in unallocated dls file)
dcalc dev_sda6.img -u 24 8171 (block number)
give ifind the block and it will return an inode number that is/was associated with it.
ifind dev_sda6.img -d 8171 2880
displays metadata information about an inode
istat dev_sda6.img 2880
list inode information
ils dev_sda6.img |grep 2880
copies files by inode number
icat -r dev_sda6.img icat -r dev_sda6.img 2880 > /images/unixforensics/lk.tgz
takes inode of directory and displays filenames in directory.
fls dev_sda6.img fls -l dev_sda6.img fls dev_sda6.img 174593
like mac_robber, the folloing will create the timeline information
fls -m / -r dev_sda6.img > /images/unixforensics/dev_sda6.fls or on live system
fls -m / -r /dev/sda6 | less
extracts data on deleted inodes yet without the missing filename infomation
ils -m dev_sda6.img > /images/unixforensics/dev_sda6.ils
integrate them with cat
cat dev_sda6.?ls > dev_sda6.mac
the question mark says any charater
make the data human readable
mactime -b dev_sda6.mac > timeline_sda6.all -d for comma deleniated
uses file to categorize everything on the system including deleted files, put them in directories.
Indexes and searches the database
hfind -i md5sum linux_hash.txt
hfind linux_hash.txt <md5 hash>
* sorter and hashes..220
hash all files
md5deep -r / > /mnt/LinuxFC3.txt
Use database to exclude known good files with sorter:
sorter -d sorter_dir -x LinuxFC3.txt hda1.dd