Difference between pages "Reiserfs" and "SIMiFOR"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
== Detecting ReiserFS in a forensics environment ==
+
[[Image:SIMiFOR_logo.JPG‎]]
 +
{{Infobox_Software |
 +
  name = SIMiFOR |
 +
  maintainer = [[FTS]] |
 +
  os = {{Windows}} |
 +
  genre = [[Category:Mobile device tools]] |
 +
  license = {{Commercial}} |
 +
  website = [http://www.forensicts.co.uk/ http://www.forensicts.co.uk/] |
 +
}}
 +
SIMiFOR® is a complete SIM card reading application that allows users access to stored numbers, SMS messages,
 +
extended data such as email, category and number types, even IMEI and location information on certain networks.
 +
SIMiFOR® is able to report SIM card contents in one simple button click, offering full Unicode and extended
 +
character support across multiple formats ([[GSM]], [[iDEN]], [[UMTS]], [[CDMA]] etc.).
  
[[Image:Superblock.png]]
+
SIMiFOR currently extracts data from [[SIM]], [[USIM]] and [[RUIM]] (CSIM) cards
  
Note: These are in [http://en.wikipedia.org/wiki/Little_endian little-endian] format. [[User:Pmow|Pmow]] 18:21, 17 July 2008 (UTC)
 
<table border="0">
 
  
<tr>
 
        <th> '''Name''' </th>
 
  
        <th> Size </th>
 
        <th> Description </th>
 
</tr>
 
<tr>
 
        <td> Block count </td>
 
        <td align="center">  4 </td>
 
 
        <td>  The number of blocks in the partition </td>
 
</tr>
 
<tr>
 
        <td> Free blocks </td>
 
        <td align="center">  4 </td>
 
        <td>  The number of free blocks in the partition </td>
 
 
</tr>
 
<tr>
 
        <td> Root block </td>
 
        <td align="center">  4 </td>
 
        <td>  The block number of the block containing the root node </td>
 
</tr>
 
<tr>
 
        <td> Journal block </td>
 
 
        <td align="center">  4 </td>
 
        <td>  The block number of the block containing the first journal node <!--</tr-->
 
</td></tr><tr>
 
        <td> Journal device </td>
 
        <td align="center">  4 </td>
 
 
        <td>  Journal device number (not sure what for) </td>
 
</tr>
 
<tr>
 
        <td> Orig. journal size </td>
 
        <td align="center">  4 </td>
 
        <td>  Original journal size. Needed when using partition on systems with different default journal sizes.</td></tr>
 
 
<tr>
 
        <td> Journal trans. max </td>
 
        <td align="center">  4 </td>
 
        <td>  The maximum number of blocks in a transaction </td>
 
</tr>
 
<tr>
 
        <td> Journal magic </td>
 
 
        <td align="center">  4 </td>
 
        <td>  A random magic number </td>
 
</tr>
 
<tr>
 
        <td> Journal max batch </td>
 
        <td align="center">  4 </td>
 
 
        <td>  The maximum number of blocks in a transaction </td>
 
</tr>
 
<tr>
 
        <td> Journal max commit age </td>
 
        <td align="center">  4 </td>
 
        <td>  Time in seconds of how old an asynchronous commit can be </td>
 
 
</tr>
 
<tr>
 
        <td> Journal max trans. age </td>
 
        <td align="center">  4 </td>
 
        <td>  Time in seconds of how old a transaction can be </td>
 
</tr>
 
<tr>
 
        <td> Blocksize </td>
 
 
        <td align="center">  2 </td>
 
        <td>  The size in bytes of a block </td>
 
</tr>
 
<tr>
 
        <td> OID max size </td>
 
        <td align="center">  2 </td>
 
 
        <td>  The maximum size of the object id array </td>
 
</tr>
 
<tr>
 
        <td> OID current size </td>
 
        <td align="center">  2 </td>
 
        <td>  The current size of the object id array </td>
 
 
</tr>
 
<tr>
 
        <td> State </td>
 
        <td align="center">  2 </td>
 
        <td>  State of the partition: valid (1) or error (2) </td>
 
</tr>
 
<tr>
 
        <td> Magic string </td>
 
 
        <td align="center">  12 </td>
 
        <td>  The reiserfs magic string, should be "ReIsEr2Fs" </td>
 
</tr>
 
<tr>
 
        <td> Hash function code </td>
 
        <td align="center">  4 </td>
 
 
        <td>  The  hash function that is being used to sort names in a directory</td></tr>
 
<tr>
 
        <td> Tree Height </td>
 
        <td align="center">  2 </td>
 
        <td>  The current height of the disk tree </td>
 
 
</tr>
 
<tr>
 
        <td> Bitmap number </td>
 
        <td align="center">  2 </td>
 
        <td>  The amount of bitmap blocks needed to address each block of the file system</td></tr>
 
<tr>
 
        <td> Version </td>
 
 
        <td align="center">  2 </td>
 
        <td>  The reiserfs version number </td>
 
</tr>
 
<tr>
 
        <td> Reserved </td>
 
        <td align="center">  2 </td>
 
 
        <td>  &nbsp; </td>
 
</tr>
 
<tr>
 
        <td> Inode Generation </td>
 
        <td align="center">  4 </td>
 
        <td>  Number of the current inode generation. </td>
 
 
</tr>
 
</table>
 
 
The following is the start of the superblock of a 256MB reiserfs partition on an Intel based system:
 
 
<pre>00000000 66 00 01 00 93 18 00 00 82 40 00 00 12 00 00 00  f........@......
 
00000010 00 00 00 00 00 20 00 00 00 04 00 00 ac 34 11 57  ..... ......¬4.W
 
00000020 84 03 00 00 1e 00 00 00 00 00 00 00 00 10 cc 03  ..............Ì.
 
00000030 08 00 02 00 52 65 49 73 45 72 32 46 73 00 00 00  ....ReIsEr2Fs...
 
00000040 03 00 00 00 04 00 03 00 02 00 00 00 dc 52 00 00  ............ÜR..
 
</pre>
 
 
[[Image:superblock_example.png]]
 
 
<br>Block count: 65638
 
<br>Free blocks: 6291
 
<br>Root block: 16514
 
<br>Journal block: 18
 
<br>Journal device: 0
 
<br>Original journal size: 8192
 
<br>Journal trans. max: 1024
 
<br>Journal magic: 1460745388
 
<br>Journal max. batch: 900
 
<br>Journal max. commit age: 30
 
<br>Journal max. trans. age: 0
 
<br>Blocksize: 4096
 
<br>OID max. size: 972
 
<br>OID current size: 8
 
<br>State: 2 (error)
 
<br>Magic String: ReIsEr2Fs
 
<br>Hash function code: 3
 
<br>Tree height: 4
 
<br>Bitmap number: 3
 
<br>Version: 2
 
<br>Inode generation: 21212
 
  
 
== External Links ==
 
== External Links ==
* [http://en.wikipedia.org/wiki/Reiserfs ReiserFS on Wikipedia]
+
* [http://www.forensicts.co.uk/ Official web site]
* [http://homes.cerias.purdue.edu/~florian/reiser/reiserfs.php The structure of the Reiser file system]
+
[[Category:Disk file systems]]
+

Revision as of 06:47, 18 March 2009

SIMiFOR logo.JPG

SIMiFOR
Maintainer: FTS
OS: Windows
Genre:
License: Commercial
Website: http://www.forensicts.co.uk/

SIMiFOR® is a complete SIM card reading application that allows users access to stored numbers, SMS messages, extended data such as email, category and number types, even IMEI and location information on certain networks. SIMiFOR® is able to report SIM card contents in one simple button click, offering full Unicode and extended character support across multiple formats (GSM, iDEN, UMTS, CDMA etc.).

SIMiFOR currently extracts data from SIM, USIM and RUIM (CSIM) cards



External Links