7:01 a.m.
[Please keep replies on the mailing list]
On Wed, Mar 14, 2012 at 12:08:52PM +0100, Davide Barbato wrote:
I would ask you a question: there are any possibilities to do a file
carving on those image? I know, you lib is an "userspace" utility,
and you take only a logical "screenshot" of the files, but I think
maybe you can share with me some your considerations about that (I
think you made yourself the same question).
I'm afraid I don't understand the question. What is a 'file carving'?
A snapshot?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
7:35 a.m.
New subject: Libguestfs question
Sorry Richard, I'll explain.
As the wikipedia page says[1], "*File carving* is the process of
reassembling computer files from fragments in the absence of filesystem
metadata <https://en.wikipedia.org/wiki/Filesystem#Metadata>;. The carving
process makes use of knowledge of common file structures, information
contained in files, and
heuristics<https://en.wikipedia.org/wiki/Heuristics#Computer_science&g...
how filesystems
fragment <https://en.wikipedia.org/wiki/File_system_fragmentation> data.
Fusing these three sources of information, a file carving system
infers<https://en.wikipedia.org/wiki/Infer>which fragments belong
together."
I'm also interested in finding deleted files: I don't know how vmware
handles filesystem inodes, and if I can recover deleted files.
2012/3/14 Richard W.M. Jones <rjones(a)redhat.com>
[Please keep replies on the mailing list]
On Wed, Mar 14, 2012 at 12:08:52PM +0100, Davide Barbato wrote:
> I would ask you a question: there are any possibilities to do a file
> carving on those image? I know, you lib is an "userspace" utility,
> and you take only a logical "screenshot" of the files, but I think
> maybe you can share with me some your considerations about that (I
> think you made yourself the same question).
I'm afraid I don't understand the question. What is a 'file carving'?
A snapshot?
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
7:46 a.m.
New subject: Libguestfs question
On Wed, Mar 14, 2012 at 01:35:30PM +0100, Davide Barbato wrote:
Sorry Richard, I'll explain.
As the wikipedia page says[1], "*File carving* is the process of
reassembling computer files from fragments in the absence of filesystem
metadata <https://en.wikipedia.org/wiki/Filesystem#Metadata>;. The carving
process makes use of knowledge of common file structures, information
contained in files, and
heuristics<https://en.wikipedia.org/wiki/Heuristics#Computer_science&g...
how filesystems
fragment <https://en.wikipedia.org/wiki/File_system_fragmentation> data.
Fusing these three sources of information, a file carving system
infers<https://en.wikipedia.org/wiki/Infer>which fragments belong
together."
I see. Libguestfs could be useful here because it can remove layers
of complexity -- such as partitions, LVs, encryption -- allowing a
file carving tool to work directly on the filesystem. Such a tool
would have to be added to the API, and the only one I'm familiar with
(PhotoRec) is highly interactive and thus not really suitable as-is
for integrating with the libguestfs API. If there is a file carving
tool which works as a library or non-interactive command line tool,
that would be better suited.
I'm also interested in finding deleted files: I don't know
how vmware
handles filesystem inodes, and if I can recover deleted files.
VMware doesn't really have anything to do with it - the guest
operating system uses its normal method for deleting files, and those
can be recovered using ordinary tools (eg. ext2undelete,
ntfsundelete). You just need to add those tools into the libguestfs
API. See this page for a guide to adding new APIs:
http://libguestfs.org/guestfs.3.html#extending_libguestfs
Actually ext2undelete and ntfsundelete are both on the todo list, and
have been for some time.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
8:03 a.m.
New subject: Libguestfs question
2012/3/14 Richard W.M. Jones <rjones(a)redhat.com>
I see. Libguestfs could be useful here because it can remove layers
of complexity -- such as partitions, LVs, encryption -- allowing a
file carving tool to work directly on the filesystem. Such a tool
would have to be added to the API, and the only one I'm familiar with
(PhotoRec) is highly interactive and thus not really suitable as-is
for integrating with the libguestfs API. If there is a file carving
tool which works as a library or non-interactive command line tool,
that would be better suited.
There is foremost (and scalpel, a fork) that do file carving non-interactive
VMware doesn't really have anything to do with it - the guest
operating system uses its normal method for deleting files, and those
can be recovered using ordinary tools (eg. ext2undelete,
ntfsundelete). You just need to add those tools into the libguestfs
API. See this page for a guide to adding new APIs:
http://libguestfs.org/guestfs.3.html#extending_libguestfs
Actually ext2undelete and ntfsundelete are both on the todo list, and
have been for some time.
Rich.
Ok, I'll check it out right now. Thanks
8:32 a.m.
New subject: Libguestfs question
See also some recent examples of new APIs being added:
https://github.com/libguestfs/libguestfs/commit/51aa51884e8dfa22b489e9587...
https://github.com/libguestfs/libguestfs/commit/a001a0d710ec61d8bc11841f4...
Also any tools required may need to be added to Fedora and
Debian, if not already.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
4635
days inactive
4635
days old
4 comments
2 participants
participants (2)
-
Davide Barbato -
Richard W.M. Jones