[lug] BLUG Meeting Announcement 2011-06-09

Boulder Linux boulderlinux at gmail.com
Wed Jun 8 08:00:05 MDT 2011 

    http://lug.boulder.co.us/calendar.html

The June Boulder Linux User Group meeting is coming up.

   Talk : EXT File System Forensics

Speaker : Hal Pomeranz

   When : 7 p.m. on Thu, Jun 09, 2011 

  Where : Aztek Networks, 2477 55th St, Suite 202, Boulder, CO.

          Aztek Networks is on 55th between Arapahoe and Pearl, just
          north of the Humane Society.  There's plenty of parking, and
          the 206 and 208 busses stop across the street.

    Map : http://lug.boulder.co.us/meetings.html

Summary of 'EXT File System Forensics'
--------------------------------------

The classic problem with recovering deleted data in modern Linux EXT
file systems is that when inode meta-data structures are reallocated,
the block pointer information in these structures is zeroed.  This
makes direct reassembly of the original file extremely difficult.

File-carving techniques (foremost, scalpel, et al) can sometimes be
used when the target file has well-defined start and end signatures.
However, many common Linux file formats lack these signatures or have
no well-defined end of file marker-- e.g., compressed or gzip data,
tar archives, and so on.  Also, these file-carving techniques can run
afoul of meta-data information-- indirect block pointers-- embedded in
the block stream of larger files.  When this meta-data information is
naively incorporated into the recovered data blocks, the usual result
is a corrupted and unreadable file.  Traditional file-carving tools
simply "work around" (skip) indirect block data with varying degrees
of success.  But simply skipping this indirect block metadata misses
out on a golden opportunity to easily recover most or all of the
original file.

The presentation will begin with an overview of EXT file systems and
the indirect block pointer mechanism.  The limitations of existing
file carving tools will be demonstrated.  Then we will use existing
and newly developed tools to detect indirect blocks to manually
recover file data from an actual file system.  Time permitting,
we'll look into the newer EXT4 file system and discuss issues that
will complicate forensics on newer Linux systems.


Pre meeting food
----------------

Please join us informally for a bite to eat at Panera Bread before the
meeting, around 5:30 P.M.  Panera is in the 29th street mall, east of
Highway 36/28th street near Walnut.


--
Boulder Linux User Group
http://lug.boulder.co.us

More information about the LUG mailing list