Linux and Macintosh File Systems

Flashcards covering Linux and Macintosh file systems for cyber forensics and incident response.

UNIX Distributions

Silicon Graphics, Inc. (SGI) IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX

Linux distributions

Ubuntu, Debian, Red Hat, OpenSUSE, and Slackware

/usr directory in Linux

Most applications and commands; contains binary files required at boot time (bin) and binaries needing superuser permission (sbin)

/etc directory in Linux

Most system configuration files

/home directory in Linux

Home directories for all users, typically named after usernames

/root directory in Linux

Home directory for the root user (superuser)

/dev directory in Linux

Device files that act as stand-ins for the devices they represent

/var directory in Linux

Subdirectories like log, mail, and spool

/etc/exports

File systems exported to remote hosts, possibly including remote drive mappings

/etc/fstab

File system table of devices and mount points

/var/log/lastlog

User's last logon

/var/log/wtmp

Logon and logoff history information

/var/run/utmp

Current user's logon information

/var/log/dmesg

System messages log

/var/log/syslog

System log, which might be called system.log or kernel.log

/etc/shadow

Master password file, stores hashed passwords

/etc/group

Group memberships for the local system

/etc/passwd

Account information for the local system

uname -a

Finds the name of your computer and the Linux Kernel revision number

pwd

Identifies the current path

ls

Sees a list of the directory's contents

ifconfig

Sees your network interfaces wired, wireless, firewire, and so on

cd

Navigates to the root directory

sudo cat /etc/passwd

Sees a listing of all user accounts configured for the system

Third Extended File System (Ext3)

Replaced Ext2 in most Linux distributions

Fourth Extended File System (Ext4)

Added support for partitions larger than 16 TB

The extended file system (ext)

Has max 2 GB partition size and max 255 filename characters

inode

Basic building block of Ext2

journaling feature

Ensures that information on updates is recorded so it can recover unsaved data

Block

Disk allocation unit of at least 512 bytes

Superblock

Indicates disk geometry, available space, and location of the first inode; manages the file system

Inode blocks

First data after the superblock; assigned to every file allocation unit

Data blocks

Location where directories and files are stored, linked directly to inodes

Bad Block Inode

Keeps track of disk's bad sectors

Hard link

A pointer that allows accessing the same file by different filenames

Link count

A field inside each inode that specifies the number of hard links

Symbolic links

Pointers to other files not included in the link; also known as soft links or symlinks

MAC OS X

Built on a core called Darwin; consists of a Berkeley Software Distribution (BSD) UNIX application layer

Hierarchical File System (HFS)

Files stored in nested directories (folders)

Extended Format File System (HFS+)

Supports smaller file sizes on larger volumes, resulting in more efficient disk use

Apple File System (APFS)

Metadata is also copied to help with crash protection; supports TRIM operations, sparse files, cloning, timestamp granularity, etc.

Data fork

Typically contains data the user creates, such as text or spreadsheets

Resource fork (RF)

Stores file metadata (like icon) and application information

Volume

Any storage medium used to store files

Catalog

The listing of all files and directories on the volume; maintains relationships between files and directories

MacOS

Stores user settings in the form of property list format (plist)

Spotlight

Used to search for specific keywords that show malicious activities

Foremost

A freeware carving tool that can read many image file formats

lsof –p [process ID]

Prints list of open files and their paths

python vol.py - -file= --profile= linux_bash

Outputs the user’s command history from the memory

dmesg [options]

Outputs the entire kernel buffer, without stops, e.g. RAM, messages from hardware

mount [options]

Outputs all attached filesystems available on the system

lsmod

Outputs the status of modules in the Kernel; outputs a list of loaded modules

pslist

Outputs all processes that were running on the machine

Freta tool

Malicious software, kernel roots, hiding processed etc

Plist files

For installed applications on a system

Third Extended File System (Ext3)

Replaced Ext2 in most Linux distributions

Fourth Extended File System (Ext4)

Added support for partitions larger than 16 TB

The extended file system (ext)

Has max 2 GB partition size and max 255 filename characters

inode

Basic building block of Ext2

journaling feature

Ensures that information on updates is recorded so it can recover unsaved data

Block

Disk allocation unit of at least 512 bytes

Superblock

Indicates disk geometry, available space, and location of the first inode; manages the file system

Inode blocks

First data after the superblock; assigned to every file allocation unit

Data blocks

Location where directories and files are stored, linked directly to inodes

Bad Block Inode

Keeps track of disk's bad sectors

Hard link

A pointer that allows accessing the same file by different filenames

Link count

A field inside each inode that specifies the number of hard links

Pointers to other files not included in the link; also known as soft links or symlinks