New in libguestfs: Filesystem forensics support

Thanks to patches supplied by Matteo Cafasso, libguestfs, the library for accessing and modifying disk images is gradually getting support for filesystem forensics.

Initially I have added a Fedora libguestfs-forensics subpackage, which pulls The Sleuth Kit (TSK) into virt-rescue.

Parts of TSK will also be made available as libguestfs APIs so they are callable from other programs.

2 Comments

Filed under Uncategorized

2 responses to “New in libguestfs: Filesystem forensics support

  1. Alex

    Any chance you could do a blog post of how to use this feature?

    . – Alex

    • rich

      Right now there’s not a lot. You can install libguestfs-forensics and then run virt-rescue on a disk and use the TSK command line tools.

      $ rpm -q libguestfs-forensics 
      libguestfs-forensics-1.33.14-1.fc25.x86_64
      $ ls -l winxp.img
      -rw-rw-r--. 1 rjones rjones 6442450944 Mar  8 09:46 winxp.img
      $ virt-rescue --ro -a winxp.img 
      ><rescue> fls /dev/sda1 
      r/r 4-128-4:	$AttrDef
      r/r 8-128-2:	$BadClus
      r/r 8-128-1:	$BadClus:$Bad
      r/r 6-128-1:	$Bitmap
      r/r 7-128-1:	$Boot
      d/d 11-144-4:	$Extend
      r/r 2-128-1:	$LogFile
      r/r 0-128-1:	$MFT
      r/r 1-128-1:	$MFTMirr
      r/r 9-128-8:	$Secure:$SDS
      r/r 9-144-11:	$Secure:$SDH
      r/r 9-144-14:	$Secure:$SII
      r/r 10-128-1:	$UpCase
      r/r 3-128-3:	$Volume
      r/r 7559-128-1:	AUTOEXEC.BAT
      r/r 3646-128-3:	boot.ini
      r/r 7558-128-1:	CONFIG.SYS
      d/d 3654-144-6:	Documents and Settings
      r/r 7560-128-1:	IO.SYS
      r/r 7561-128-1:	MSDOS.SYS
      r/r 3618-128-3:	NTDETECT.COM
      r/r 3614-128-3:	ntldr
      r/r 27-128-1:	pagefile.sys
      d/d 4127-144-6:	Program Files
      d/d 3652-144-6:	System Volume Information
      d/d 28-144-6:	WINDOWS
      d/d 10752:	$OrphanFiles
      ><rescue> fsstat /dev/sda1 
      FILE SYSTEM INFORMATION
      --------------------------------------------
      File System Type: NTFS
      Volume Serial Number: BA48AA9F48AA59C1
      OEM Name: NTFS    
      Version: Windows XP
      
      METADATA INFORMATION
      --------------------------------------------
      First Cluster of MFT: 262144
      First Cluster of MFT Mirror: 785172
      Size of MFT Entries: 1024 bytes
      Size of Index Records: 4096 bytes
      Range: 0 - 10752
      Root Directory: 5
      
      CONTENT INFORMATION
      --------------------------------------------
      Sector Size: 512
      Cluster Size: 4096
      Total Cluster Range: 0 - 1570344
      Total Sector Range: 0 - 12562765
      
      $AttrDef Attribute Values:
      $STANDARD_INFORMATION (16)   Size: 48-72   Flags: Resident
      $ATTRIBUTE_LIST (32)   Size: No Limit   Flags: Non-resident
      $FILE_NAME (48)   Size: 68-578   Flags: Resident,Index
      $OBJECT_ID (64)   Size: 0-256   Flags: Resident
      $SECURITY_DESCRIPTOR (80)   Size: No Limit   Flags: Non-resident
      $VOLUME_NAME (96)   Size: 2-256   Flags: Resident
      $VOLUME_INFORMATION (112)   Size: 12-12   Flags: Resident
      $DATA (128)   Size: No Limit   Flags: 
      $INDEX_ROOT (144)   Size: No Limit   Flags: Resident
      $INDEX_ALLOCATION (160)   Size: No Limit   Flags: Non-resident
      $BITMAP (176)   Size: No Limit   Flags: Non-resident
      $REPARSE_POINT (192)   Size: 0-16384   Flags: Non-resident
      $EA_INFORMATION (208)   Size: 8-8   Flags: Resident
      $EA (224)   Size: 0-65536   Flags: 
      $LOGGED_UTILITY_STREAM (256)   Size: 0-65536   Flags: Non-resident
      

      Soon we’ll be binding more of the TSK commands as libguestfs APIs and I’ll try to demo that in a future posting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s