Re: [Libguestfs] [PATCH v2 0/2] Added download_blocks API
On 20/07/16 17:04, Pino Toscano wrote:
Hi,
On Sunday, 17 July 2016 20:40:18 CEST Matteo Cafasso wrote:
> v2:
>
> - Rebase on top of master
>
> Matteo Cafasso (2):
> New API: download_blocks
> Added download_blocks API test
>
> daemon/sleuthkit.c | 41 ++++++++++++++++++++++++++-
> generator/actions.ml | 24 ++++++++++++++++
> gobject/Makefile.inc | 2 ++
> src/MAX_PROC_NR | 2 +-
> tests/tsk/Makefile.am | 1 +
> tests/tsk/test-download-blocks.sh | 58 +++++++++++++++++++++++++++++++++++++++
> 6 files changed, 126 insertions(+), 2 deletions(-)
> create mode 100755 tests/tsk/test-download-blocks.sh
The series LGTM, I pushed it after removing the extra change in
do_download_inode and fixing the version.
More a curiosity question than a complain or something else: how are
these APIs are supposed to be used? What is the forensics-related
workflow using them?
Current focus is deleted/unaccessible files retrieval as I
believe this
is the most interesting feature for libguestfs users.
A forensic workflow example would be:
* start libguestfs and identify the disk partition where your data is
* run filesystem_walk to get list of files which are visible within
that disk partition
* if the deleted file you want to recover is in that list, you'll get
its inode
* use download_inode to try recovering the deleted file
For Ext3+ filesystems the thing is a bit more complicated. These
filesystems remove the block links when the file gets deleted making its
recovery more difficult. Only choice is carving out the data and
download_blocks is the function which allows you to do so. What the User
needs is an API capable of mapping disk blocks to files and then he/she
will be able to recover them using download_blocks.
Most of the APIs I am introducing are inspired from TSK ones. Here's a
more detailed example on how to retrieve deleted data from disks.
http://wiki.sleuthkit.org/index.php?title=FS_Analysis
Afterwards, we could focus on more interesting topics such as evidence
gathering and forensics analysis. Automating it is a challenging topic
as most of the "evidence reconstruction" requires careful thinking as
the data might have been tampered or obfuscated.
Yet there are quite interesting features we can add which could support
forensic analysis as well as cloud security solutions. Think about
libguestfs scanning Open Stack instance disks to detect anomalies within
cloud deployments. libguestfs is the perfect tool as it easily allows to
abstract both the disk virtualisation technology (qcow2, vmdk etc..) and
the guest Operating System.
You can find an example on libguestfs-based VM scanning solution in here:
https://github.com/noxdafox/vminspect
If you check the "timeline" command implementation, you'll find few of
the new APIs in use.
Considering they are quite specific, I was
thinking about adding a documentation paragraph and/or some example
to describe/show them better, what do you think?
This is a good question, I was thinking about a blog post to start with
but a paragraph in the documentation sounds good as well. Let me know if
you need help for that, I can provide some real-life example.
Thanks,
_______________________________________________
Libguestfs mailing list
Libguestfs(a)redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs
Attachments:
- attachment.html (text/html — 4.7 KB)