[Nottingham] Forensics problem

Mat Booth mbooth at fedoraproject.org
Tue Sep 14 15:14:08 UTC 2010


On 14 September 2010 14:55, Paul Tew <binarybod at gmail.com> wrote:
> Hi,
> Some of you folks are aware that I'm a forensic examiner with Notts
> Police... well I suppose you all know now ;)
>
> I have a bit of a problem with some evidence I'm examining and could
> do with some suggestions...
>
> I recently took possession of a Buffalo LinkStation which serves files
> to an attached network via samba. The issue I have is that these files
> are stored on an XFS partition. None of my usual forensic tools can
> parse XFS. To recover the files I've had to mount the image file (for
> the uninitiated, an image file is a copy of all the data from the hard
> drive or, as in this case a RAID). I've mounted the XFS partition
> without any problem and recovered the files, all well and good so far.
>
> My problem is that I need to look at those parts of the drive that
> DON'T form regular files so that I can search for deleted and
> unallocated files and carve them out. Ideally I would like to extract
> all the data from sectors that aren't allocated to files. I would
> normally use something like 'blkls' from the sleuthkit (TSK), but
> unfortunately TSK can't parse XFS partitions.
>
> My question is this:
> Does anyone have any suggestions as to how to stream the areas of a
> partition that don't consist of regular files?
>
> Paul
>

I don't know if it will be of any use, but there is a debugging tool for XFS

xfs_db(8)

It is in the xfsprogs package on my system. The man page is fairly
dense, but seems like it might be useful for inspecting individual
filesystem blocks. Maybe scriptable too.

-- 
Mat Booth
http://fedoraproject.org/get-fedora



More information about the Nottingham mailing list