UNIX Distributions: Silicon Graphics, Inc. (SGI) IRIX, Santa Cruz Operation (SCO) UnixWare, Sun Solaris, IBM AIX, and HP-UX
Linux distributions: Ubuntu, Debian, Red Hat, OpenSUSE, and Slackware
Linux is only the core of the OS.
All UNIX-like OSs have a kernel.
All Windows OSs have a kernel.
UNIX System Directories
The UNIX standard system directories are shown below.
Linux is based on UNIX and inherits its hierarchical file system from UNIX.
All files and directories are located under ’root’ represented by /.
Linux File Structure Example
Example path: /home/john/documents/phone.txt
Core Top-Level Directories of a Linux System
Directory
Contents
/usr
Most applications and commands are in this directory or its subdirectories: bin (contains binary files required at boot time) and sbin (requires superuser permission to run the binaries in it).
/etc
Most system configuration files are stored in this directory.
/home
The home directories for all users, usually named after their usernames.
/root
The home directory for the root user (superuser), which is kept separate from other user home directories.
/dev
Device files that act as stand-ins for the devices they represent. For example, /dev/sda is the first non-IDE disk drive on the system, usually the main hard drive.
/var
Subdirectories such as log (often useful for investigations), mail (storing e-mail accounts), and spool (where print jobs are spooled).
Linux System Files
System file
Contents
/etc/exports
File systems exported to remote hosts; might include remote drive mappings
/etc/fstab
File system table of devices and mount points
/var/log/lastlog
User's last logon
/var/log/wtmp
Logon and logoff history information
/var/run/utmp
Current user's logon information
/var/log/dmesg
System messages log
/var/log/syslog
System log, occasionally called system.log or kernel.log
/etc/shadow
Master password file, containing hashed passwords for the local system
/etc/group
Group memberships for the local system
/etc/passwd
Account information for the local system
Commands for Examining Linux File Structures
who: Displays users currently logged in.
last: Shows a listing of last logged in users
lastb: Shows a listing of bad login attempts.
lastlog: Shows the most recent login of each user.
uname -a: Find the name of your computer and the Linux kernel revision number.
pwd: Identify the current path.
ls: See a list of the directory’s contents.
ifconfig: See your network interfaces: wired, wireless, Firewire, and so on.
cd: Navigate to the root directory.
sudo cat /etc/passwd: See a listing of all user accounts configured for the system.
Important Reminder
UNIX and Linux commands are case-sensitive.
Wrong capitalization can mean your commands are rejected as incorrect or interpreted as something different
If you are a newcomer to the Linux environment you should take the time to learn the basic functionality; this is often the same in Unix or Linux.
File Structures in Ext4
The early file system standard was Second Extended File System (Ext2).
Third Extended File System (Ext3) replaced Ext2 in most Linux distributions.
Fourth Extended File System (Ext4) added support for partitions larger than 16 TB.
The extended file system (ext) is the first Linux file system.
It has max 2 GB partition size and max 255 filename characters.
It was replaced by ext2 which enhanced speed but lacked journaling.
inode is the basic building block of ext2
File Structures in Ext2 (Inode Information)
Inodes contain direct data blocks, blocks of pointers, indirect blocks, double indirect blocks and triple indirect blocks.
File Structures in Ext3
The ext3 file system is an enhanced version of the ext2 file system, and it provides the following advantages:
Availability
Data Integrity
Journaling feature ensures that information on updates is recorded so it can recover unsaved data
Speed
Easy Transition
Ext2 can be converted to ext3 using the following command:
# /sbin/tune2fs –j <partition-name>
File Structures in Ext4
It is a journaling file system and the replacement of ext3.
Everything is a file.
Files are objects, and there are properties and methods to interact with them.
It has many features, including higher file system, reduces fragmentation, supports faster file system checking (fsck), provides checksums for reliability, provides timestamps, etc.
Four components:
Boot block
Superblock
Inode blocks
Data blocks
Components of Ext4 File System Structure
Boot block
Block is a disk allocation unit of at least 512 bytes.
Contains the bootstrap code.
A UNIX/Linux computer has only one boot block, located on the main hard disk.
Superblock
Indicates disk geometry, available space, and location of the first inode.
Manages the file system.
Inode blocks
First data after the superblock.
Assigned to every file allocation unit.
Data blocks
Where directories and files are stored.
This location is linked directly to inodes.
Inodes
Contain file and directory metadata and link data stored in data blocks.
An assigned inode contains the following:
Mode and type of file or directory
Number of links to a file or directory
UID and GID of the file’s or directory’s owner
Number of bytes in the file or directory
File’s or directory’s last access time and last modified time
Inode’s last file status change time
Block address for the file data
Indirect, double-indirect, and triple-indirect block addresses for the file data
Current usage status of the inode
Number of actual blocks assigned to a file
File generation number of version number
Continuation inode’s link
Inode Pointers
First inode has 13 pointers
Pointers 1 to 10 are direct pointers to data storage blocks
Pointer 11 is an indirect pointer
Links to 128 pointer inodes and each pointer links directly to 128 blocks
Pointer 12 is a double-indirect pointer
Pointer 13 is a triple-indirect pointer
Inode Pointers Details
Block size is 512 bytes
First inode has 13 pointers
Pointers 1 to 10 are direct pointers to data storage blocks
Pointer 11 is an indirect pointer which contains 128 pointers = 128 * 512 bytes
Pointer 12 is a double-indirect pointer which contains 128 * 128 pointers
Pointer 13 is a triple-indirect pointer which contains 128 * 128 * 128 pointers
Bad Block Inode
Keeps track of disk’s bad sectors.
To find bad blocks on a Linux computer, use the following commands:
badblocks - must log in as root to use
mke2fs and e2fsck - include safeguards that prevent them from overwriting important information
Hard Links
A pointer that allows accessing the same file by different filenames.
Use the ln command to create a hard link.
Link count is a field inside each inode that specifies the number of hard links.
Symbolic Links
Pointers to other files and aren’t included in the link count.
Also known as “soft links” or “symlinks”.
Can point to items on other drives or other parts of the network.
Have an inode of their own, not the same as the item they are pointing to.
Depend on the existence of the destination they are pointing to.
Created using ln -s command
Understanding Macintosh File Structures
MAC OS X is built on a core called Darwin.
Consists of a Berkeley Software Distribution (BSD) UNIX application layer.
With OS X, Macintosh moved to the Intel processor
Macintosh File Systems
Hierarchical File System (HFS): Files stored in nested directories (folders).
Extended Format File System (HFS+): Introduced with Mac OS 8.1. Supports smaller file sizes on larger volumes, resulting in more efficient disk use.
Apple File System (APFS): Introduced in macOS High Sierra.
When data is written to a device, metadata is also copied to help with crash protection.
Supports TRIM operations, sparse files, cloning, timestamp granularity, etc.
Cannot be used on HDDs due to ‘copy-on-write’ feature and lacks NVRAM support.
Mac File Structure (Data Fork and Resource Fork)
In Mac, a file consists of two parts:
Data fork: Typically contains data the user creates, such as text or spreadsheets. Applications also read and write to the data fork.
Resource fork: Stores file metadata (like icon) and application information.
Mac Volume Structures
A volume is any storage medium used to store files. It can be all or part of the storage media for hard disks.
Volumes have allocation and logical blocks
A logical block cannot exceed 512 bytes.
An allocation block is a set of consecutive logical blocks.
Two end-of-file (EOF) descriptors:
Logical EOF: Actual size of the file.
Physical EOF: The number of allocation blocks for that file.
Clumps are Groups of contiguous allocation blocks which Reduce fragmentation
Older HFS-Formatted Drives
First two logical blocks, 0 and 1, as boot blocks
Master Directory Block (MDB) or Volume Information Block (VIB)
Stores all information about a volume
Volume Control Block (VCB)
Stores information from the MDB when OS mounts
Extents overflow file
Stores any file information not in the MDB or a VCB
Catalog
The listing of all files and directories on the volume
Maintains relationships between files and directories
Forensics Procedures in Mac
There are some differences between Linux and Mac OS X file systems
Linux has the /home/username and /root directories
In macOS, the folders are /users/username and /private/var/root
The /home directory exists in the macOS but it is empty
MacOS users have limited access to other user accounts’ files, and the guest account is disabled
MacOS stores user settings in the form of property list format (plist) which uses XML or binary data format for data storage
Mac Log File Locations
System Log Folder: /var/log
System Log: /var/log/system.log
Mac Analytics Data: /var/log/DiagnosticMessages
System Application Logs: /Library/Logs
System Reports: /Library/Logs/DiagnosticReports
User Application Logs: ~/Library/Logs
User Reports: ~/Library/Logs/DiagnosticReports
Audit Logs: /var/audit/*
System and Software Update Installation Dates: /var/log/install.log
Home Directory: Help to determine malicious attempts as it stores logon attempts, authentication data and stores application, installation folders, desktop, library, documents, etc.
Additional Notes on Mac Forensics
For forensics procedures in Mac OS X, you must know where file system components are located and how both files and file components are stored
Application settings are in three formats: Plaintext, plist files, and the SQLite database
Plist files are preference files for installed applications on a system
FileVault is used to encrypt and decrypt a user’s /users directory
Mac Forensics: Keychains and Trash
Keychains: Files used to manage passwords for applications, Web sites, and other system files. The Mac application Keychain Access enables you to restore passwords
Deleted files: Located in the Trashes folder. However, if a file is deleted at the command line, it doesn’t show up in the trash
Mac Acquisition Methods
Make an image of the drive
Removing the drive from a Mac Mini case is difficult
Attempting to do so without Apple factory training could damage the computer
Also difficult for MacBook Air (need special screwdrivers)
Use a macOS-compatible forensic boot CD/DVD to make an image
BlackBag Technologies sells acquisition products specifically designed for OS 9 and OS X
MacQuisition is a forensic boot CD that makes an image of a Mac drive
After making an acquisition, examine the image of the file system; the tool you use depends on the image file format
Examples of Mac Forensics Tools
Mac-apt
Cellebrite Digital Collector
Maxosac
macMRUParset
LLImager
Passware Kit Forensics
Magent Axiom
Using Linux Forensics Tools
Most commercial computer forensics tools can analyze Linux Ext2, Ext3, Ext4, ReiserFS, and Reiser4 file systems
Freeware tools include Sleuth Kit and its Web browser interface, Autopsy Forensic Browser
Freeware Carving Tools
Foremost: A freeware carving tool that can read many image file formats (foremost.conf)
Scalpel
Foremost Example
foremost -i 11-carve-fat.dd -o Foremost recovery
Scalpel Configuration File Example
Allows configuration for different file types based on header and footer values.
*photorec <imagefile>
*Used to recover deleted files from a drive or image file
*It also allows scanning extracted data for any malicious data
*Photorec image.dd
Freta: Cloud Based Tool for Linux System
Freta is a free cloud-based tool designed by Microsoft Research that provides automated full-system volatile memory inspection of Linux systems.
Detect novel malicious software, kernel roots, hiding processed, etc.
It is easy to use to submit a captured image and generate reports
It is designed for automating IR-like discovery tasks directly into a cloud fabric
Linux Forensics Supplements
uptime
readelf
systemctl
cat /proc/partitions
cat /proc/swaps
netstat –tulpn
ausearch
Ip addr show
Nmap –sT localhost
Lsof –I –p –n | grep LISTEN
Lsof –u
Xxd head
File
Modinfo
Rkhunter --check --rwo
Strings –t d | grep
Chkrootkit
Ps auxww
Mac Forensics Supplements
Stat [-FlLnqrsx] [-f format] [-t timefmt] [file …]
Date –u
Systemsetup –gettimezone
TZ=GMT date
Ifconfig
Netstat
tcpdump
Ps –ef > processeslist.txt
Ps –U ps –f –U –oot –u root
System_profiler
Networksetup – listallhardwareports
ls –lu
ls ~/Library/Caches
Sysctl vm.swapusage
Networksetp – listallnetworkservices
Sudo lsof –i –p | grep –i “listen”
Mac Acquisition Methods
Make an image of the drive
Removing the drive from a Mac Mini case is difficult
Attempting to do so without Apple factory training could damage the computer
Also difficult for MacBook Air (need special screwdrivers)
Use a macOS-compatible forensic boot CD/DVD to make an image
BlackBag Technologies sells acquisition products specifically designed for OS 9 and OS X
MacQuisition is a forensic boot CD that makes an image of a Mac drive
After making an acquisition, examine the image of the file system. The tool you use depends on the image file format.
Summary
UNIX was created to be a multiuser, multithreaded, secure OS
The Linux kernel is usually packaged with other software components, such as a GUI and applications
Linux supports a wide range of file systems
UNIX and Linux have four components defining the file system: boot block, superblock, inode block, and data block
Summary (cont’d)
In the Linux file system, a hard link is a pointer that allows accessing the same file by different filenames
Before macOS, the file systems HFS and HFS+ were used
In older versions of macOS, a file consists of two parts: a data fork and a resource fork
A volume is any storage medium used to store files
Summary (cont’d)
Plist files are preference files for installed applications on a macOS system
In macOS, unified logging has been added for recording log files and includes new utilities to help forensics examiners
The biggest challenge in acquiring images from macOS systems is often physical access to the drive