J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering
|
|
- Olivia Watts
- 5 years ago
- Views:
Transcription
1 J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering CCI Post Office Box 9627 Mississippi State, MS Voice: (662) Fax: (662)
2 Time Machines Lesson 4 Reference: Farmer & Venema 2
3 A Timing Analysis Case Study On August 20th of 2001, Barney, a harmless Linux computer previously used as a group's multimedia juke box, was found to have an ssh daemon (a program that enables encrypted network logins) listening for connections on a very strange TCP port. When no one confessed to installing the program it seemed clear that Barney had been compromised. In a rush to help the situation, Barney's administrators created a backup of all the directories that appeared to contain suspicious files. An alert was then sent to the corporate computer security staff. It took three days, but finally the security team quarantined the computer, The Coroner's Toolkit (TCT) was unpacked ( the suspect disk drive examined, and a story started to unfold. The team knew what had happened, but wanted to know when and, if possible, why, it did. 3
4 System Times MACtimes are a shorthand way to refer to the three time attributes - mtime, atime, and ctime - that are attached to any file or directory in UNIX, Linux, and other file systems. Microsoft's file systems have four similar times - ChangeTime, CreationTime, LastAccessTime, and LastWriteTime. Linux also has the dtime attribute which is set when a file or directory has been deleted. In particular this doesn't affect files in the visible file system, only deleted files.. Atime refers to the last time the file or directory was accessed. Mtimes, in contrast, are changed by modifying a file's contents. The ctime attribute keeps track of when the content or meta information about the file has changed - the owner, group, file permission, etc. Ctime may also be used as an approximation of when a file was deleted. For all of these attributes, however, it is crucial to note the word "last" - MACtimes only keep track of the last time a file is disturbed; once it has been changed historical MACtime data is impossible to uncover. 4
5 Reviewing Time Measurement On UNIX systems these times may be viewed by th ls command (see the ls man page for more details) and on NTFS by various 3rd party tools. In real situations, however, it's often easier to use aq mactime tool or to simply use the lstat() system call (which mactime itself uses) as evidenced by this simple Perl code fragment: ($dev, $inode, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = lstat($filename);print "$filename (MAC): $mtime, $atime,$ctime n MACtimes returned by the Perl lstat() function call are displayed as the number of seconds since January 1st, 1970, 00:00:00 UTC. NTFS keeps file times in 100 nanosecond chunks since Jan 1st, 1901; lstat() converts this. 5
6 MACtimes from Barney This looks very similar to UNIX's ls -l output. The difference here is the inclusion of the "MAC" column. This shows which of the three file time attributes (mtime, atime, and ctime) correspond to the dates and times in the first column No atimes -- files were copied for safekeeping. OOV says that more ephemeral data should be harvested before more stable data, and in this case reading (or copying) a file will change the atime attribute to the time the file was reads 6
7 Altering Time lstat()'ing a file does not change the MACtimes, opening a directory for reading will change the atime, so you must be certain to lstat() directories before opening them and examining their contents. Be cautious if using GUI-based file system management tools - many of these change the atime even when only listing files, as they read the file to figure out what icon should be displayed in the file listing. Digital hashes of file content are very useful for a variety of forensic or administrative purposes, but must be done after the lstat() because reading a file changes the atime of that file. If doing a serious investigation you'll ideally want to work from a duplicate of the media rather than using the original data. Failing that, mount the media read-only or at the very least turn off atime updates so that you don't inadvertently destroy or alter the data and come up with incorrect conclusions. 7
8 Altering time stamps MACtimes can only report on the last time a file has been disturbed and hence have no way of reporting on the historical activity of a file or directory. A program could run a thousand times and you'd only see evidence of a single occurrence. Another limitation is that MACtimes only show you the result of an action - not who did it. MACtimes also degrade over time, displaying a sort of digital Alzheimer's. MACtimes are less useful on busy multi-user systems, because user activity becomes difficult to distinguish from intruder activity. MACtimes also don't help much when normal system activity resembles the kind of trouble that you wish to investigate. Finally, MACtimes are easily forged. UNIX systems have the touch command that can change atimes and mtimes. Both Microsoft's NTFS and UNIX file systems can also use the utime() system call to change those two times. 8
9 Argus (the network Audit Record Generation and Utilization System) Argus is software that reports on the network status and traffic that it listens to. In the Barney case study there were two things to look for: connections to the rogue ssh daemon (the port the program was listening to, TCP 33332, was unusual enough that it could be readily spotted even in large quantities of data; ironically if the intruder had simply placed it on ssh's normal port, it might have never been noticed) a file transfer that might have placed the tar file onto Barney. In this example Barney's IP address was and the intruder came from Finding the first session to the new ssh daemon was easy - it lasted 17 minutes, as seen by this slightly edited Argus output. Argus appends the port number to the IP address, and the "ssefc" status flags indicate a complete TCP connection: 9
10 Spotting Further Connections Just prior to the ssh connection the intruder entered from a second system and downloaded something to Barney with FTP (an FTP server uses TCP ports 20 and 21 to send data and receive commands.) from Possibly the ssh tar file that was downloaded earlier. Comparing the various sources of data revealed that the time on the Argus system and Barney's differed by some 17 minutes (purely coincidental to the duration of the initial ssh connection). Clock skews such as this are very common and can provide endless amounts of frustration when trying to correlate evidence from different sources. 10
11 Connecting to port In this example Barney's IP address was and the intruder came from Finding the first session to the new ssh daemon was easy - it lasted 17 minutes, as seen by this slightly edited Argus output. Argus appends the port number to the IP address, and the "ssefc" status flags indicate a complete TCP connection: 11
12 Back Tracing Just prior to the ssh connection the intruder entered from a second system and downloaded something to Barney with FTP (an FTP server uses TCP ports 20 and 21 to send data and receive commands.) from This is quite possibly the ssh tar file that was downloaded earlier. 12
13 Clock Drift Comparing the various sources of data revealed that the time on the Argus system and Barney's differed by some 17 minutes (purely coincidental to the duration of the initial ssh connection). Clock skews such as this are very common and can provide endless amounts of frustration when trying to correlate evidence from different sources. If we scan the Argus logs further back we see the computer at scanning the network for back doors on TCP port 110 (the POP3 mail service) and TCP port 21 (the ftp port.) We note that all the connections are from TCP source port presumably such an unusual occurrence is not merely a coincidence. A connection lasting four and a half minutes to ftp suggests that there might have been a back door previously installed on Barney ("sr" status flags mean a connection has been refused): 13
14 Checking Connections from port The unusual port numbers used by the attackers warranted additional searching, and certainly finding additional connections from TCP port was easy enough. Not only did we find the above traffic but another suspicious trail involving the same Barney machine, starting almost a year earlier - August 22, Barney was apparently compromised through the name daemon port (TCP port 53) by what was probably a server vulnerability. 14
15 Barney Incident Timeline 15
16 Checking Log Files - pcat Many times, you would like to examine or search a part of a system rather than a relatively large subsection. TCT's pcat command, which captures the raw memory contained in a process, can be used to find any date strings within the currently running syslogd process: 16
17 Verification of logs - 2nd source This shows what is currently in the processes' memory - some log entries span several months! While how much and what kind of data is in a running process varies wildly from system to system, process to process, and the activity levels of the computer in question, this can be an invaluable source of information. Here the log entries could be checked against what is in the actual system logs - if the entries in memory are not present in the log file, then something is amiss. TCT's Lazarus automatically categorizes data based on the content that it finds, and may be useful in finding not only time-based data but giving form to arbitrary content in the program. 17
18 DNS & Time DNS has several types of records: PTR (Pointer records, which map an IP number to a host name), A (Address records, which map the computer's name to an IP number), MX (Mail Exchange records, which tell mail agents where should be sent to.) Bind maintains an in-memory cache of recent lookup results. On request it can dump this cache in an orderly manner. The request is made via the ndc or rndc command, or by sending a SIGINT signal (e.g. "kill -SIGINT bind-pid"). And while Bind doesn't keep the explicit time for each of the requests, it does display the time the data has left in the cache (this is called its Time To Live, or TTL) before it will discard the data. Figure below shows a snippet from an rndc dump of the Bind program with this. 18
19 Timing Query -- TTL If you were able to obtain the real TTL value and subtract Bind's time left for a specific request in the cache you will - in theory - know how long ago the query happened. We can get TTLs from the Internet for any DNS resource record, using the host command. If you were running your own caching name server it would save the TTL (10800, in this case) and subsequent requests would show the TTL counter decrementing (normally this value should remain the same from query to query.) 19
20 How DNS Times are Generated In order to get a definitive value for a TTL you must ask an authoritative name server and look at the TTL that comes back with it, or, if using your own server ensure that you clear its cache first, as shown below. Parse output using scripting languages. 20
21 Fragments of BIND s Processed Memory Cache The A records here are when our SMTP mailer wanted to send mail to another site needed to look up the IP address from the host name. The PTR record was when a computer was probing our ssh daemon, which logged the IP address along with the resolved host name. 21
22 Journaling file systems and MACtimes Journaling file systems are not new -- MAC OS X, Linux and Microsoft Windows. Examples include Ext3fs, JFS, NTFS, Reiserfs, XFS, and others. With a journaling file system, part of all of the disk updates are first written to a journal file before they are committed to the file system itself [Robbins, 2001]. Journaling significantly improves recovery from a system crash. Depending on what optimizations the file system is allowed to make, journaling does not need not to cause loss of performance. Every non-trivial file system operation such as creating or appending a file results in a sequence of disk updates that affect both file data (content) and file metadata (the location of file content, and what files belong to a directory). 22
23 Leveraging Journaled File Systems When a sequence of updates is interrupted due to a system crash, non-journaling file systems such as FFS, EXT2FS or Windows FAT can leave their file metadata in an inconsistent state. FFS versions with soft metadata updates avoid this consistency problem by carefully scheduling their disk updates, so that most of the file system check can be run in the background while the system boots up [McKusick, 2004]. The recovery process involves programs such as fsck or scandisk, and can take several hours with large file systems. Compared to this, recovery with a journaling file system is almost instantaneous: it can be as simple as replaying the "good" portion of the journal to the file system, and discarding the rest. While journaling file systems differ widely in the way they manage their information, conceptually they are very easy to understand. There are two major flavors: those that journal metadata only, and those that journal both data and metadata. We will look only at MACtimes, i.e. metadata, although journaled file content has great forensic potential, too. 23
24 Journaling saves repeated accesses 24
25 Reading Journaled MACtimes Check the filesizes of /var/log/cron and /var/log/sa/sa19. Locating the journal (linux example) Linux tune2fs shows that the journal is stored as a regular file with inode number 8 Does not show that the journal has a fixed size of 32 MBytes. One way to save the content of the journal is with TCT's icat command. Save it to a different file system, otherwise the journal may end up destroying itself with its own content. linux# icat /dev/hda1 8 >journalfile 25
26 Linux debugfs The Linux debugfs file system debugger can examine the file system journal. In order to examine a saved journal file, specify "-f journalfile" on the logdump command line. As with all tools that are used for unintended purposes, debugfs can produce unexpected results at times. Some judgment is needed when interpreting the results. The amount of MACtime history that can be recovered from a file system journal depends on the type and amount of activity in the file system, as well as file system implementation details. File systems such as Ext3fs that journal both data and metadata, the amount of recoverable MACtimes can be small. Systems with little activity can have records that go back by as much as an entire day or more. In such cases, watching a file system journal can be like watching a tree grow one ring at a time. The command below dumps recent access times for the /etc/ passwd file: 26
27 Foibles of time Hours, minutes, seconds Time zones Multiple implementations Implementation issues Accuracy Drift Synchronization The Network Time Protocol ([NTP, 2004]) and other time synchronization efforts are useful, but will not solve all problems. Systems that act as a central repository for logs often will get log messages from systems in other time zones - yet log the activity in the local time zone. When computers physically move to another time zone, clocks go bad, intruders attempt to inject false or spurious times into your logging mechanisms, systems lose power, backup clock batteries lose power, etc. 27
28 Conclusion No other form of forensic data is more interesting, frustrating, relied upon and untrustworthy than time. Provably accurate or consistent time can be extraordinarily difficult to obtain, and should generally only be relied upon when several events or points of view are correlated. Some forms of time data recovery and processing are difficult to automate and impractical for general use - the system will often only give its secrets out under duress or brute force. Additional research is needed on investigating, documenting, and providing methods to collect forensic timing data. Time data is vital to a forensic investigation. Time analysis provides the opportunity to detect modified or deleted records, great care and effort should be taken to try and uncover the gems of time scattered through the system. 28
1/10/11. A Timing Analysis Case Study. Time Machines. System Times. Reviewing Time Measurement. Altering Time. MACtimes from Barney
A Timing Analysis Case Study Time Machines Lesson 4 Reference: Farmer & Venema On August 20th of 2001, Barney, a harmless Linux computer previously used as a group's multimedia juke box, was found to have
More informationFile System Basics. Farmer & Venema. Mississippi State University Digital Forensics 1
File System Basics Farmer & Venema 1 Alphabet Soup of File Systems More file systems than operating systems Microsoft has had several: FAT16, FAT32, HPFS, NTFS, NTFS2 UNIX certainly has its share, in typical
More informationECE 598 Advanced Operating Systems Lecture 18
ECE 598 Advanced Operating Systems Lecture 18 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 5 April 2016 Homework #7 was posted Project update Announcements 1 More like a 571
More informationCrash Consistency: FSCK and Journaling. Dongkun Shin, SKKU
Crash Consistency: FSCK and Journaling 1 Crash-consistency problem File system data structures must persist stored on HDD/SSD despite power loss or system crash Crash-consistency problem The system may
More informationCase study: ext2 FS 1
Case study: ext2 FS 1 The ext2 file system Second Extended Filesystem The main Linux FS before ext3 Evolved from Minix filesystem (via Extended Filesystem ) Features Block size (1024, 2048, and 4096) configured
More informationCase study: ext2 FS 1
Case study: ext2 FS 1 The ext2 file system Second Extended Filesystem The main Linux FS before ext3 Evolved from Minix filesystem (via Extended Filesystem ) Features Block size (1024, 2048, and 4096) configured
More informationForensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A
Bibliography Use case Q and A The Treachery of Images February 5, 2016 Bibliography Use case Q and A Introduction Disclaimer Images ( The Treachery of Images ) (1928) Rene Magritte La Trahison des Bibliography
More information(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.
CS140 Winter 2006 Final Exam Solutions (1) In class we talked about the link count in the inode of the Unix file system being incorrect after a crash. The reference count can either be either too high
More informationForensic Analysis - 2nd Lab Session
File System Forensic and Analysis December 12, 2014 File System Analysis File System Analysis can be used for Analysis the activities of an attacker on the honeypot file system. Analysis of a malware leaving
More informationIT Services IT LOGGING POLICY
IT LOGGING POLICY UoW IT Logging Policy -Restricted- 1 Contents 1. Overview... 3 2. Purpose... 3 3. Scope... 3 4. General Requirements... 3 5. Activities to be logged... 4 6. Formatting, Transmission and
More informationLog Data: A Source of Value. Nagios Enterprises LLC Nagios Enterprises 2017 Logs: A Source of Value // 1
Log Data: A Source of Value Nagios Enterprises LLC 2017 Nagios Enterprises 2017 Logs: A Source of Value // 1 Log Data: A Source of Value Nagios Enterprises LLC 2017 Introduction Part 1 : What s in a Log?
More informationFile System Consistency. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
File System Consistency Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Crash Consistency File system may perform several disk writes to complete
More informationImplementation should be efficient. Provide an abstraction to the user. Abstraction should be useful. Ownership and permissions.
File Systems Ch 4. File Systems Manage and organize disk space. Create and manage files. Create and manage directories. Manage free space. Recover from errors. File Systems Complex data structure. Provide
More informationFile Systems Ch 4. 1 CS 422 T W Bennet Mississippi College
File Systems Ch 4. Ë ¾¾ Ì Ï ÒÒ Ø Å ÔÔ ÓÐÐ 1 File Systems Manage and organize disk space. Create and manage files. Create and manage directories. Manage free space. Recover from errors. Ë ¾¾ Ì Ï ÒÒ Ø Å
More informationDa-Wei Chang CSIE.NCKU. Professor Hao-Ren Ke, National Chiao Tung University Professor Hsung-Pin Chang, National Chung Hsing University
Chapter 11 Implementing File System Da-Wei Chang CSIE.NCKU Source: Professor Hao-Ren Ke, National Chiao Tung University Professor Hsung-Pin Chang, National Chung Hsing University Outline File-System Structure
More informationQuestion No: 2 Which identifier is used to describe the application or process that submitted a log message?
Volume: 65 Questions Question No: 1 Which definition of a fork in Linux is true? A. daemon to execute scheduled commands B. parent directory name of a file pathname C. macros for manipulating CPU sets
More informationFile System Consistency
File System Consistency Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu EEE3052: Introduction to Operating Systems, Fall 2017, Jinkyu Jeong (jinkyu@skku.edu)
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationFile systems and Filesystem quota
File systems and Filesystem quota 8.1 Unit objectives After completing this unit, you should be able to: Describe what a file is Describe what a file system is List possible file systems Describe i-nodes
More informationunder attack Listing Deleted Files A SECURITY BREACH CAN INSPIRE
BORIS LOZA A SECURITY BREACH CAN INSPIRE panic in administrators. This quick application note explains some techniques to be used to recover the names and contents of files during an attack or shortly
More informationFile System Implementation
Introduction to Operating Systems File System Implementation John Franco Electrical Engineering and Computing Systems University of Cincinnati Layered File System Application Programs Logical File System
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 6 Linux Forensics Objectives After completing this chapter, you should be able to: Create
More informationChapter 11: File System Implementation. Objectives
Chapter 11: File System Implementation Objectives To describe the details of implementing local file systems and directory structures To describe the implementation of remote file systems To discuss block
More informationMFP: The Mobile Forensic Platform
MFP: The Mobile Forensic Platform Abstract Digital forensics experts perform investigations of machines for triage to see if there is a problem, as well as to gather evidence and run analyses. When the
More informationFILE SYSTEM IMPLEMENTATION. Sunu Wibirama
FILE SYSTEM IMPLEMENTATION Sunu Wibirama File-System Structure Outline File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion File-System Structure Outline
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationTZWorks Timeline ActivitiesCache Parser (tac) Users Guide
TZWorks Timeline ActivitiesCache Parser (tac) Users Guide Abstract tac is a standalone, command-line tool that parses the Windows Timeline records introduced in the April 2018 Win10 update. The Window
More informationFile System Internals. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
File System Internals Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics File system implementation File descriptor table, File table
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationChapter 11: Implementing File Systems
Silberschatz 1 Chapter 11: Implementing File Systems Thursday, November 08, 2007 9:55 PM File system = a system stores files on secondary storage. A disk may have more than one file system. Disk are divided
More informationWhat is a file system
COSC 6397 Big Data Analytics Distributed File Systems Edgar Gabriel Spring 2017 What is a file system A clearly defined method that the OS uses to store, catalog and retrieve files Manage the bits that
More informationAdvanced Operating Systems
Advanced Operating Systems File Systems: File Allocation Table, Linux File System, NTFS Lecture 10 Case Studies of File Systems File Allocation Table (FAT) Unix File System Berkeley Fast File System Linux
More informationTopics. File Buffer Cache for Performance. What to Cache? COS 318: Operating Systems. File Performance and Reliability
Topics COS 318: Operating Systems File Performance and Reliability File buffer cache Disk failure and recovery tools Consistent updates Transactions and logging 2 File Buffer Cache for Performance What
More informationThe Art of Defiling. Defeating Forensic Analysis on Unix File Systems the grugq
The Art of Defiling Defeating Forensic Analysis on Unix File Systems the grugq Overview Introduction Unix File Systems Forensics Anti-Forensics Demonstration Q & A Introduction Who I am grugq What I do
More informationA Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018
A Study on Linux 11/1/2018 Forensics By: Gustavo Amarchand, Keanu Munn, and Samantha Renicker Abstract In the field of computer forensics investigators must be familiar with many different systems and
More informationn Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic
Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output
More informationOperating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017
Operating Systems Lecture 7.2 - File system implementation Adrien Krähenbühl Master of Computer Science PUF - Hồ Chí Minh 2016/2017 Design FAT or indexed allocation? UFS, FFS & Ext2 Journaling with Ext3
More informationIncident Response. Figure 10-1: Incident Response. Figure 10-2: Program and Data Backup. Figure 10-1: Incident Response. Figure 10-2: Program and Data
Figure 10-1: Incident Response Incident Response Chapter 10 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Incidents Happen Protections sometimes break down Incident Severity
More informationFile System Internals. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
File System Internals Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics File system implementation File descriptor table, File table
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationBest practices with Snare Enterprise Agents
Best practices with Snare Enterprise Agents Snare Solutions About this document The Payment Card Industry Data Security Standard (PCI/DSS) documentation provides guidance on a set of baseline security
More informationFS Consistency & Journaling
FS Consistency & Journaling Nima Honarmand (Based on slides by Prof. Andrea Arpaci-Dusseau) Why Is Consistency Challenging? File system may perform several disk writes to serve a single request Caching
More informationA comparison of the file systems used in RTLinux and Windows CE
A comparison of the file systems used in RTLinux and Windows CE Authors : Thomas Österholm, thoos207@student.liu.se Thomas Sundmark, thosu588@student.liu.se This report contains a comparison between some
More informationThe UNIX file system! A gentle introduction"
ISA 785 Research in Digital Forensics The UNIX file system! A gentle introduction" ISA 785! Angelos Stavrou, George Mason University! File System Basics 2! Readings from the Textbook! Unix / EXT3! FAT/NTFS!
More informationOperating Systems, Fall
File systems: management 1 Disk quotas for users Quotas for keeping track of each user s disk use Soft limit and hard limit 2 Lecture 7, Tiina Niklander 1 Backup 3 File System Backup Replacing hardware
More informationLinux Filesystems Ext2, Ext3. Nafisa Kazi
Linux Filesystems Ext2, Ext3 Nafisa Kazi 1 What is a Filesystem A filesystem: Stores files and data in the files Organizes data for easy access Stores the information about files such as size, file permissions,
More informationEvolution of the Unix File System Brad Schonhorst CS-623 Spring Semester 2006 Polytechnic University
Evolution of the Unix File System Brad Schonhorst CS-623 Spring Semester 2006 Polytechnic University The Unix File System (UFS) has gone through many changes over the years and is still evolving to meet
More informationVolatile Data Acquisition & Analysis
Volatile Data Acquisition & Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014 VOLATILE INFORMATION Memory that requires power to maintain data. Exists as Physical
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationCisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16
Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16 Contents Introduction... 1 Intended Use... 1 Portal Navigation... 2 Registering a Network Resource... 2 Adding the Network Resource
More informationFile systems: management 1
File systems: management 1 Disk quotas for users Quotas for keeping track of each user s disk use Soft limit and hard limit 2 Backup 3 File System Backup Replacing hardware is easy, but not the data Backups
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationFile System Implementation. Sunu Wibirama
File System Implementation Sunu Wibirama File-System Structure Outline File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion File System Structure File
More informationFile system internals Tanenbaum, Chapter 4. COMP3231 Operating Systems
File system internals Tanenbaum, Chapter 4 COMP3231 Operating Systems Architecture of the OS storage stack Application File system: Hides physical location of data on the disk Exposes: directory hierarchy,
More informationFile System Analysis. Farmer & Venema. Mississippi State University Digital Forensics 1
File System Analysis Farmer & Venema 1 First Contact On Sept 25, at 00:44:49 someone sent a nastygram to a RedHat 6.2 Linux machine. The attack was aimed at the rpc.statd service, which is part of the
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationOperating Systems. File Systems. Thomas Ropars.
1 Operating Systems File Systems Thomas Ropars thomas.ropars@univ-grenoble-alpes.fr 2017 2 References The content of these lectures is inspired by: The lecture notes of Prof. David Mazières. Operating
More informationCSE506: Operating Systems CSE 506: Operating Systems
CSE 506: Operating Systems File Systems Traditional File Systems FS, UFS/FFS, Ext2, Several simple on disk structures Superblock magic value to identify filesystem type Places to find metadata on disk
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationA Study on Intrusion Detection Techniques in a TCP/IP Environment
A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the
More informationOPERATING SYSTEM. Chapter 12: File System Implementation
OPERATING SYSTEM Chapter 12: File System Implementation Chapter 12: File System Implementation File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management
More informationFilesystem. Disclaimer: some slides are adopted from book authors slides with permission
Filesystem Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Directory A special file contains (inode, filename) mappings Caching Directory cache Accelerate to find inode
More informationComputer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic
Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition Chapter 2 Investigating Network Traffic Objectives After completing this chapter, you should be able to: Understand network
More informationNetwork Device Forensics. Digital Forensics NETS1032 Winter 2018
Network Device Forensics Digital Forensics NETS1032 Winter 2018 Risks Most data created, stored, and used by users is kept in files on computers running end user oriented operating systems like Windows,
More informationSecuring Linux Systems Before Deployment
Securing Linux Systems Before Deployment Richard Williams Senior Support Services Specialist Symark Why secure Linux systems? Your Linux enterprise installation is growing Assets on Linux systems are becoming
More informationOverview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks
Overview Handling Security Incidents Chapter 7 Lecturer: Pei-yih Ting Attacks Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Standard
More informationSharing may be done through a protection scheme. Network File System (NFS) is a common distributed file-sharing method
File Sharing Sharing of files on multi-user systems is desirable Sharing may be done through a protection scheme On distributed systems, files may be shared across a network Network File System (NFS) is
More informationArcSight Activate Framework
ArcSight Activate Framework Petropoulos #HPProtect 44% Have trouble managing their SIEM eiqnetworks 2013 SIEM Survey #1 challenge Identification of key events SANS 2012 Log Management and Event Management
More informationChapter 5 Live Data Collection Windows Systems
Chapter 5 Live Data Collection Windows Systems Ed Crowley Spring 10 1 Topics Live Investigation Goals Creating a Response Toolkit Common Tools and Toolkits Preparing the Toolkit Storing Information Obtained
More informationForensic Discovery. Lesson 1 Reference: Farmer & Venema. Mississippi State University Digital Forensics 1
Forensic Discovery Lesson 1 Reference: Farmer & Venema 1 The Spirit of Forensic Discovery Now, a few words on looking for things: When you go looking for something specific, your chances of finding it
More informationCSE380 - Operating Systems
CSE380 - Operating Systems Notes for Lecture 17-11/10/05 Matt Blaze, Micah Sherr (some examples by Insup Lee) Implementing File Systems We ve looked at the user view of file systems names, directory structure,
More informationLecture 21: Reliable, High Performance Storage. CSC 469H1F Fall 2006 Angela Demke Brown
Lecture 21: Reliable, High Performance Storage CSC 469H1F Fall 2006 Angela Demke Brown 1 Review We ve looked at fault tolerance via server replication Continue operating with up to f failures Recovery
More informationKernel Korner IBM's Journaled Filesystem
Kernel Korner IBM's Journaled Filesystem To restart a telecom server quickly, you need a journaling filesystem. Here's how you can move to IBM's AIX-derived JFS. by Steve Best, David Gordon and Ibrahim
More informationSMD149 - Operating Systems - File systems
SMD149 - Operating Systems - File systems Roland Parviainen November 21, 2005 1 / 59 Outline Overview Files, directories Data integrity Transaction based file systems 2 / 59 Files Overview Named collection
More informationDISTRIBUTED FILE SYSTEMS & NFS
DISTRIBUTED FILE SYSTEMS & NFS Dr. Yingwu Zhu File Service Types in Client/Server File service a specification of what the file system offers to clients File server The implementation of a file service
More informationComputer Systems Laboratory Sungkyunkwan University
File System Internals Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics File system implementation File descriptor table, File table
More informationCNIT 121: Computer Forensics. 9 Network Evidence
CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require
More informationThe Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling
The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling Date: June 02, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system
More informationC13: Files and Directories: System s Perspective
CISC 7310X C13: Files and Directories: System s Perspective Hui Chen Department of Computer & Information Science CUNY Brooklyn College 4/19/2018 CUNY Brooklyn College 1 File Systems: Requirements Long
More informationBACKING UP LINUX AND OTHER UNIX(- LIKE) SYSTEMS
BACKING UP LINUX AND OTHER UNIX(- LIKE) SYSTEMS There are two kinds of people: those who do regular backups and those who never had a hard drive failure Unknown. 1. Introduction The topic of doing backups
More informationMidterm Exam #3 Solutions November 30, 2016 CS162 Operating Systems
University of California, Berkeley College of Engineering Computer Science Division EECS Fall 2016 Anthony D. Joseph Midterm Exam #3 Solutions November 30, 2016 CS162 Operating Systems Your Name: SID AND
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationAcknowledgments About the Authors
Preface p. xv Acknowledgments p. xix About the Authors p. xxi Case Studies p. xxv Live Incident Response p. 1 Windows Live Response p. 3 Analyzing Volatile Data p. 5 The System Date and Time p. 6 Current
More informationChapter 11: Implementing File Systems
Chapter 11: Implementing File Systems Operating System Concepts 99h Edition DM510-14 Chapter 11: Implementing File Systems File-System Structure File-System Implementation Directory Implementation Allocation
More informationWHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX
WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1 INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model
More informationmode uid gid atime ctime mtime size block count reference count direct blocks (12) single indirect double indirect triple indirect mode uid gid atime
Recap: i-nodes Case study: ext FS The ext file system Second Extended Filesystem The main Linux FS before ext Evolved from Minix filesystem (via Extended Filesystem ) Features (4, 48, and 49) configured
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 8: File Systems Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Investigative Process Analysis Framework File Systems FAT NTFS EXT2/EXT3 last
More informationChapter 12: File System Implementation
Chapter 12: File System Implementation Virtual File Systems. Allocation Methods. Folder Implementation. Free-Space Management. Directory Block Placement. Recovery. Virtual File Systems An object-oriented
More informationCS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching
CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring 2004 Lecture 18: Naming, Directories, and File Caching 18.0 Main Points How do users name files? What is a name? Lookup:
More informationSecurity in the Privileged Remote Access Appliance
Security in the Privileged Remote Access Appliance 2003-2018 BeyondTrust, Inc. All Rights Reserved. BEYONDTRUST, its logo, and JUMP are trademarks of BeyondTrust, Inc. Other trademarks are the property
More informationOS security mechanisms:
OS security mechanisms: Memory Protection: One of the important aspects of Operating system security is Memory Protection. Memory provides powerful indirect way for an attacker to circumvent security mechanism,
More informationFile Systems. What do we need to know?
File Systems Chapter 4 1 What do we need to know? How are files viewed on different OS s? What is a file system from the programmer s viewpoint? You mostly know this, but we ll review the main points.
More informationNTFS Recoverability. CS 537 Lecture 17 NTFS internals. NTFS On-Disk Structure
NTFS Recoverability CS 537 Lecture 17 NTFS internals Michael Swift PC disk I/O in the old days: Speed was most important NTFS changes this view Reliability counts most: I/O operations that alter NTFS structure
More informationCS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching
CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring 2002 Lecture 18: Naming, Directories, and File Caching 18.0 Main Points How do users name files? What is a name? Lookup:
More informationCiphermail Webmail Messenger Administration Guide
CIPHERMAIL EMAIL ENCRYPTION Ciphermail Webmail Messenger Administration Guide October 27, 2017, Rev: 8630 Copyright 2013-2017, ciphermail.com. CONTENTS CONTENTS Contents 1 Introduction 4 2 Admin login
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationOperating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07
0Handouts: Lesson 1 Quiz 1. What is the working definition of authentication? a. The ability for a person or system to prove identity. b. Protection of data on a system or host from unauthorized access.
More information