As discussed in the topic:
https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html
I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth
Kit.
http://www.sleuthkit.org/
The two APIs I'm adding with the patch are a simple example of which type of features
TSK can enable.
The icat API it's very similar to the previously added ntfscat_i but it works with
multiple filesystem types and has an interesting added value: it can extract deleted
files. The end result heavily depends on the filesystem internals and on how much it has
been used. On FAT, Ext2 and NTFS it can recover part or the whole file pretty easily as
long as it's sectors have not been overwritten by others. For Ext3 and Ext4 it's a
bit more difficult, usually data carving is more effective in these cases. I haven't
tested on other filesystems.
The fls0 API works similar to find but it returns more information such as the
files/directories metadata addresses (inodes) and whether the files are allocated (in use)
or not (deleted). Later on I will add more fine grained APIs such as fls0-d for showing
only deleted files and fls0-m which reports the creation/access/deletion timestamps. I
might need some help for the related fls API not relying on an external file.
A concrete example on a Windows 7 disk image.
$ ./run guestfish --ro -a /home/noxdafox/disks/win7clone.qcow2
<fs> run
There's no need to mount the disks as TSK reads the raw data structures of the
filesystems.
<fs> fls0 /dev/sda2 /home/noxdafox/disk-content.txt
r/r 15711-128-1:
$Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/desktop.ini
-/r * 60015-128-1:
$Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/$R07QQZ2.txt
-/r * 60015-128-3:
$Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/$R07QQZ2.txt:Zone.Identifier
We can see the content of the recycle bin where I trashed and deleted a readme.txt file
(renamed as $R07QQZ2.txt).
The asterisk (*) shows the file is not allocated and it has been deleted from the disk.
We can see its inode number (60015) which means the inode has not been recycled yet so
there's quite a good chance we can recover it.
<fs> icat /dev/sda2 60015 /home/noxdafox/recovered.txt
The file gets fully recovered in my home directory. The correct sha1 proves the recover
was 100% successful.
I decided to add these APIs because they cover a use case I think libguestfs could
immediately benefit from. With TSK tools is possible to do more in depth disk analysis to
quickly discover hiddend partitions (malware rootkits) or hidded data in unallocated
sectors.
Matteo Cafasso (2):
added icat and fls0 APIs
added icat and fls0 APIs tests
Makefile.am | 1 +
appliance/packagelist.in | 3 ++
configure.ac | 1 +
daemon/Makefile.am | 1 +
daemon/tsk.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++
generator/actions.ml | 33 +++++++++++++
po/POTFILES | 1 +
src/MAX_PROC_NR | 2 +-
tests/tsk/Makefile.am | 27 +++++++++++
tests/tsk/test-fls0.sh | 55 +++++++++++++++++++++
tests/tsk/test-icat.sh | 53 ++++++++++++++++++++
11 files changed, 298 insertions(+), 1 deletion(-)
create mode 100644 daemon/tsk.c
create mode 100644 tests/tsk/Makefile.am
create mode 100755 tests/tsk/test-fls0.sh
create mode 100755 tests/tsk/test-icat.sh
--
2.7.0