Difference between pages "LiveDiscover" and "Reiserfs"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
'''LiveDiscover™ Forensic Edition''' [https://www.wetstonetech.com/cgi/shop.cgi?view,4]
+
== Detecting ReiserFS in a forensics environment ==
  
==  ==
+
[[Image:Superblock.png]]
LiveDiscover Forensic Edition (FE) is the premier tool for rapid full distributed network assessment and  mapping, which is a critical first step in any digital investigation. Designed for forensic investigators, LiveDiscover FE rapidly scans a range of IP addresses and generates comprehensive forensic reports including easy to view graphs on each located  device within the specified network. With the case management features, investigators can tailor reports and case details,making evidence court ready.  Built-in customization allows for the creation of modified vulnerability scripts making LiveDiscover FE field extensible.  
+
  
 +
Note: These are in [http://en.wikipedia.org/wiki/Little_endian little-endian] format. [[User:Pmow|Pmow]] 18:21, 17 July 2008 (UTC)
 +
<table border="0">
  
'''Key Features:'''
+
<tr>
 +
        <th> '''Name''' </th>
  
Live forensic network discovery, Live forensic vulnerability assessment, Automatically identify operating systems including Windows, Unix, Linux, Mac, VMS, Novell, and Sunsystems, Remote detection of system status including running services, attached devices, and open shares, Forensically map communication devices, printers and more, Forensic detailed report generation
+
        <th> Size </th>
 +
        <th> Description </th>
 +
</tr>
 +
<tr>
 +
        <td> Block count </td>
 +
        <td align="center">  4 </td>
  
 +
        <td>  The number of blocks in the partition </td>
 +
</tr>
 +
<tr>
 +
        <td> Free blocks </td>
 +
        <td align="center">  4 </td>
 +
        <td>  The number of free blocks in the partition </td>
  
'''System Recommendations:'''
+
</tr>
 +
<tr>
 +
        <td> Root block </td>
 +
        <td align="center">  4 </td>
 +
        <td>  The block number of the block containing the root node </td>
 +
</tr>
 +
<tr>
 +
        <td> Journal block </td>
  
Microsoft Windows® 2000, XP, Vista, 20 MB free disk space, 256 MB RAM, Pentium® III 1GHz processor
+
        <td align="center">  4 </td>
 +
        <td>  The block number of the block containing the first journal node <!--</tr-->
 +
</td></tr><tr>
 +
        <td> Journal device </td>
 +
        <td align="center">  4 </td>
  
 +
        <td>  Journal device number (not sure what for) </td>
 +
</tr>
 +
<tr>
 +
        <td> Orig. journal size </td>
 +
        <td align="center">  4 </td>
 +
        <td>  Original journal size. Needed when using partition on systems with different default journal sizes.</td></tr>
  
'''License:'''
+
<tr>
 +
        <td> Journal trans. max </td>
 +
        <td align="center">  4 </td>
 +
        <td>  The maximum number of blocks in a transaction </td>
 +
</tr>
 +
<tr>
 +
        <td> Journal magic </td>
  
Single user license, Site licenses are available upon request
+
        <td align="center">  4 </td>
 +
        <td>  A random magic number </td>
 +
</tr>
 +
<tr>
 +
        <td> Journal max batch </td>
 +
        <td align="center">  4 </td>
  
 +
        <td>  The maximum number of blocks in a transaction </td>
 +
</tr>
 +
<tr>
 +
        <td> Journal max commit age </td>
 +
        <td align="center">  4 </td>
 +
        <td>  Time in seconds of how old an asynchronous commit can be </td>
  
----
+
</tr>
 +
<tr>
 +
        <td> Journal max trans. age </td>
 +
        <td align="center">  4 </td>
 +
        <td>  Time in seconds of how old a transaction can be </td>
 +
</tr>
 +
<tr>
 +
        <td> Blocksize </td>
  
'''Contact Information:'''
+
        <td align="center">  2 </td>
 +
        <td>  The size in bytes of a block </td>
 +
</tr>
 +
<tr>
 +
        <td> OID max size </td>
 +
        <td align="center">  2 </td>
  
1-877-WETSTONE ext. 2
+
        <td>  The maximum size of the object id array </td>
 +
</tr>
 +
<tr>
 +
        <td> OID current size </td>
 +
        <td align="center">  2 </td>
 +
        <td>  The current size of the object id array </td>
  
www.wetstonetech.com [https://www.wetstonetech.com/index.html]
+
</tr>
 +
<tr>
 +
        <td> State </td>
 +
        <td align="center">  2 </td>
 +
        <td>  State of the partition: valid (1) or error (2) </td>
 +
</tr>
 +
<tr>
 +
        <td> Magic string </td>
 +
 
 +
        <td align="center">  12 </td>
 +
        <td>  The reiserfs magic string, should be "ReIsEr2Fs" </td>
 +
</tr>
 +
<tr>
 +
        <td> Hash function code </td>
 +
        <td align="center">  4 </td>
 +
 
 +
        <td>  The  hash function that is being used to sort names in a directory</td></tr>
 +
<tr>
 +
        <td> Tree Height </td>
 +
        <td align="center">  2 </td>
 +
        <td>  The current height of the disk tree </td>
 +
 
 +
</tr>
 +
<tr>
 +
        <td> Bitmap number </td>
 +
        <td align="center">  2 </td>
 +
        <td>  The amount of bitmap blocks needed to address each block of the file system</td></tr>
 +
<tr>
 +
        <td> Version </td>
 +
 
 +
        <td align="center">  2 </td>
 +
        <td>  The reiserfs version number </td>
 +
</tr>
 +
<tr>
 +
        <td> Reserved </td>
 +
        <td align="center">  2 </td>
 +
 
 +
        <td>  &nbsp; </td>
 +
</tr>
 +
<tr>
 +
        <td> Inode Generation </td>
 +
        <td align="center">  4 </td>
 +
        <td>  Number of the current inode generation. </td>
 +
 
 +
</tr>
 +
</table>
 +
 
 +
The following is the start of the superblock of a 256MB reiserfs partition on an Intel based system:
 +
 
 +
<pre>00000000 66 00 01 00 93 18 00 00 82 40 00 00 12 00 00 00  f........@......
 +
00000010 00 00 00 00 00 20 00 00 00 04 00 00 ac 34 11 57  ..... ......¬4.W
 +
00000020 84 03 00 00 1e 00 00 00 00 00 00 00 00 10 cc 03  ..............Ì.
 +
00000030 08 00 02 00 52 65 49 73 45 72 32 46 73 00 00 00  ....ReIsEr2Fs...
 +
00000040 03 00 00 00 04 00 03 00 02 00 00 00 dc 52 00 00  ............ÜR..
 +
</pre>
 +
 
 +
[[Image:superblock_example.png]]
 +
 
 +
<br>Block count: 65638
 +
<br>Free blocks: 6291
 +
<br>Root block: 16514
 +
<br>Journal block: 18
 +
<br>Journal device: 0
 +
<br>Original journal size: 8192
 +
<br>Journal trans. max: 1024
 +
<br>Journal magic: 1460745388
 +
<br>Journal max. batch: 900
 +
<br>Journal max. commit age: 30
 +
<br>Journal max. trans. age: 0
 +
<br>Blocksize: 4096
 +
<br>OID max. size: 972
 +
<br>OID current size: 8
 +
<br>State: 2 (error)
 +
<br>Magic String: ReIsEr2Fs
 +
<br>Hash function code: 3
 +
<br>Tree height: 4
 +
<br>Bitmap number: 3
 +
<br>Version: 2
 +
<br>Inode generation: 21212
 +
 
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Reiserfs ReiserFS on Wikipedia]
 +
* [http://homes.cerias.purdue.edu/~florian/reiser/reiserfs.php The structure of the Reiser file system]
 +
[[Category:Disk file systems]]

Revision as of 07:59, 4 September 2008

Detecting ReiserFS in a forensics environment

Superblock.png

Note: These are in little-endian format. Pmow 18:21, 17 July 2008 (UTC)

Name Size Description
Block count 4 The number of blocks in the partition
Free blocks 4 The number of free blocks in the partition
Root block 4 The block number of the block containing the root node
Journal block 4 The block number of the block containing the first journal node
Journal device 4 Journal device number (not sure what for)
Orig. journal size 4 Original journal size. Needed when using partition on systems with different default journal sizes.
Journal trans. max 4 The maximum number of blocks in a transaction
Journal magic 4 A random magic number
Journal max batch 4 The maximum number of blocks in a transaction
Journal max commit age 4 Time in seconds of how old an asynchronous commit can be
Journal max trans. age 4 Time in seconds of how old a transaction can be
Blocksize 2 The size in bytes of a block
OID max size 2 The maximum size of the object id array
OID current size 2 The current size of the object id array
State 2 State of the partition: valid (1) or error (2)
Magic string 12 The reiserfs magic string, should be "ReIsEr2Fs"
Hash function code 4 The hash function that is being used to sort names in a directory
Tree Height 2 The current height of the disk tree
Bitmap number 2 The amount of bitmap blocks needed to address each block of the file system
Version 2 The reiserfs version number
Reserved 2  
Inode Generation 4 Number of the current inode generation.

The following is the start of the superblock of a 256MB reiserfs partition on an Intel based system:

00000000 66 00 01 00 93 18 00 00 82 40 00 00 12 00 00 00  f........@......
00000010 00 00 00 00 00 20 00 00 00 04 00 00 ac 34 11 57  ..... ......¬4.W
00000020 84 03 00 00 1e 00 00 00 00 00 00 00 00 10 cc 03  ..............Ì.
00000030 08 00 02 00 52 65 49 73 45 72 32 46 73 00 00 00  ....ReIsEr2Fs...
00000040 03 00 00 00 04 00 03 00 02 00 00 00 dc 52 00 00  ............ÜR..

Superblock example.png


Block count: 65638
Free blocks: 6291
Root block: 16514
Journal block: 18
Journal device: 0
Original journal size: 8192
Journal trans. max: 1024
Journal magic: 1460745388
Journal max. batch: 900
Journal max. commit age: 30
Journal max. trans. age: 0
Blocksize: 4096
OID max. size: 972
OID current size: 8
State: 2 (error)
Magic String: ReIsEr2Fs
Hash function code: 3
Tree height: 4
Bitmap number: 3
Version: 2
Inode generation: 21212

External Links