[olug] September 2011 OLUG Meeting - September 6th, 6:30 PM
Jon Larsen
jon at jonlarsen.us
Tue Aug 23 11:32:58 UTC 2011
September 2011 OLUG Meeting
The September 2011 OLUG Meeting will be on Tuesday, September 6th at
6:30 PM at the AIM Institute Training Lab/Careerlink.com Career Center,
1911 Harney Street in the Exchange Building.
Presentation: Linux EXT3 File Recovery Via Indirect Blocks by Hal Pomeranz
Hal is a Faculty Fellow of the SANS Institute, and it's
longest-tenured instructor. He is the track author and primary
instructor for their Linux/Unix Security certification track
(GCUX). He is also a GIAC Certified Forensic Analyst (GCFA) and an
instructor in the SANS Computer Forensics curriculum. Hal frequently
contributes to the SANS Computer Forensics blog and is a co-author
with fellow SANS instructor Ed Skoudis and Tim Medin of the weekly
on-line Command Line Kung Fu column. http://blog.commandlinekungfu.com/
The Meeting will be streamed live on the OLUG channel on Ustream.tv -
http://www.ustream.tv/channel/Omaha-Linux-User-Group
Archived video can be found here: http://www.ustream.tv/user/olug/videos
Linux EXT3 File Recovery Via Indirect Blocks
============================================
The classic problem with recovering deleted data in modern Linux EXT
file systems is that when inode meta-data structures are deallocated,
the block pointer information in these structures is zeroed. This
makes direct reassembly of the original file extremely difficult.
File-carving techniques (foremost, scalpel, et al) can sometimes be
used when the target file has well-defined start and end signatures.
However, many common Linux file formats lack these signatures or have
no well-defined end of file marker—e.g., compressed or gzip data, tar
archives, and so on. Also, these file-carving techniques can run
afoul of meta-data information—indirect block pointers—embedded in the
block stream of larger files. When this meta-data information is
naively incorporated into the recovered data blocks, the usual result
is a corrupted and unreadable file. Traditional file-carving tools
simply "work around" (skip) indirect block data with varying degrees
of success. But simply skipping this indirect block metadata misses
out on a golden opportunity to easily recover most or all of the
original file.
The presentation will begin with an overview of EXT file systems and
the indirect block pointer mechanism. The limitations of existing
file carving tools will be demonstrated. Then we will use existing
and newly developed tools to detect indirect blocks to manually
recover file data from an actual file system.
--
Jon H. Larsen - jon -at- jonlarsen -dot- us
Blog - http://jonlarsen.us/
VP of Community Development, Omaha Linux Users Group - http://www.olug.org/
AnimeSunday.org - http://www.animesunday.org/
More information about the OLUG
mailing list