For other file types, the last time the file was written to. For directories, the last time an entry was added, renamed or removed. The book “The Forensic Discovery 1st Edition”from Dan Farmer and Wietse Venema outlines the different timestamps: The creation timestamp was introduced on ext4. This activity helps finding the particular time an event took place and in which order.īefore we create our timeline, noteworthy, that on Linux file systems like ext2 and ext3 there is no timestamp about the creation/birth time of a file.
This is a crucial step and very useful because it includes information about files that were modified, accessed, changed and created in a human readable format, known as MAC time evidence (Modified, Accessed, Changed). For this is important to create a folder structure that will match the partition scheme.Īfter mounting the disk, you normally start your forensics analysis and investigation by creating a timeline. Next step, mount the different volumes as read-only as we would mount a normal device for forensic analysis. The figure below illustrates the necessary steps to perform this operation.Īfter activating the LVM volume group, we have six devices that map to six mount points that make the file system structure for this disk. Then, we use the different utilities that manage LVM volumes such as “pvs”, “vgscan” abd “vgchange”. To perform this operation, we start with “kpartx” which will automate the creation of the partition devices by creating loopback devices and mapping them. To make them usable for our different forensic tools we will need to create device maps from the LVM partition table. With the “dd” utility you could easily see that you are in the presence of LVM2 volumes. The physical volumes are combined into logical volume groups which by its turn can be divided into logical volumes which have mount points and have a file system type like ext4. The LVM uses an abstraction layer that allows a hard drive or a set of hard drives to be allocated to a physical volume. Nowadays, many Linux distributions use LVM (Logical Volume Manager) scheme as default. This is due to the fact that this partition is of type 0x8e ( Logical Volume Manager). However, “fsstat” does not recognize the second partition that starts on sector 1050624. As you could see in the image, the “mmls” and “fsstat” utilities are able to identify the first partition “/boot” which is of type 0x83 (ext4). Then, use the starting sector and query the details associated with the file system using the “fsstat” utility. The picture below shows this step.įollowing that, you could list the partition table from the disk image and obtain information about where each partition starts (sectors) using the “mmls” utility. To perform the conversion, you could use the QEMU disk image utility.
In this way, it will be easier to run the different tools such as the tools from The Sleuth Kit – which will be heavily used – against the image. However, another approach would be to convert the VMDK file format into RAW format. To analyze the VMDK files you could use the “libvmdk-utils” package that contain tools to access data store in VMDK files. Then you move them to your Lab which could be simple as your laptop running a VM with SIFT workstation. When obtaining the different disk files from the ESX host, you will need the VMDK files.
The process of how to obtain the disk will be skipped but here are some old but good notes on how to obtain a disk image from a VMware ESX host. I also take a quick look at the artifacts and then unmount the different partitions. I start by recognizing the file system, mounting the different partitions, creating a super timeline and a file system timeline.
Below, I perform a series of steps in order to analyze a disk that was obtained from a compromised system that was running a Red Hat operating system. This article is a quick exercise and a small introduction to the world of Linux forensics.