Chapter 07 Homework The Tool You Use Depends The Format

Guide to Computer Forensics and Investigations, Fifth Edition 7-1

Chapter 7

Linux and Mac File Systems

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

• Teaching Tips

• Quick Quizzes

Guide to Computer Forensics and Investigations, Fifth Edition 7-2

Lecture Notes

Overview

Chapter 7 provides a foundation to build on as you become more knowledgeable about

current and legacy OSs and their file systems. Remember that you can use a different

Chapter Objectives

• Describe Linux file structures

• Describe Mac file structures

• Use Linux forensics tools

Teaching Tips

Examining Linux File Structures

1. Explain that UNIX was created to be a multiuser, multithreaded, secure OS and that

components.

2. Use Tables 7-1 and 7-2 to discuss important Linux system files and core top-level

directories of a Linux system.

3. Guide students through the activity starting on page 287 to create a virtual machine so

that they may run Ubuntu 14.04.

4. Once students have access to Ubuntu 14.04, have them complete the next activity,

which will give students a chance to review Linux commands, including:

a. uname –a

File Structures in Ext4

1. Describe the Linux file system Ext2fs and its journaling version Ext3fs. Highlight the

use of inodes, metadata, and data as part of the files structure.

Guide to Computer Forensics and Investigations, Fifth Edition 7-3

2. Discuss the following four components that define the file system:

a. Boot block – contains the bootstrap code (instructions for startup)

3. Explain that the main purpose of inodes is to link data stored on data blocks.

4. Point out that when a file or directory is created on a Linux file system, an inode is

assigned that contains the following information:

• The mode and type of the file or directory

• The number of links to a file or directory

• The UID and GID of the file’s or directory’s owner

• The number of bytes in the file or directory

5. UNIX/Linux file systems use inodes that implement direct, indirect, double-indirect,

6. Define bad blocks and how they can be used on Linux to hide information. Mention that

students can use the badblocks command to find bad blocks on a Linux computer.

Point out that the user must log in as root to do so. There are two other commands that

supply bad block information: mke2fs and e2fsck.

7. Discuss a hard link, which is a pointer that allows accessing the same file by different

8. Use Figure 7-4 to view three hard-linked files pointing to the same inode: 23509. Be

10. Discuss symbolic links, which are simply pointers to other files and aren’t included in

11. Guide students through the activity starting on page 296 so they may see how hard and

Quick Quiz 1

1. The term _____ is often used when discussing Linux because technically, Linux is only

the core of the OS.

2. Adoption of the _____ file system was slower in some distributions, but it’s now

considered the standard file system for most distributions.

3. ____ contain file and directory metadata and provide a mechanism for linking data

stored in data blocks.

4. Where does Linux keep a record of bad sectors?

5. Unlike hard links, _____ can point to items on other drives or other parts of the

network.

Understanding Mac File Structures

1. Introduce Mac OS X to your students and provide a little history about the Hierarchical

File System (HFS) and HFS+, the file systems used by Mac.

Guide to Computer Forensics and Investigations, Fifth Edition 7-5

An Overview of Mac File Structures

1. Explain that in older Mac OSs, a file consists of two parts: the data fork and resource

1. Define a volume as any storage medium used to store files. A volume can be all or part

of a hard disk. On a floppy disk is always the entire disk.

2. Use Figure 7-10 to show the relationship between allocation and logical blocks. Logical

3. Describe the following two types of end of file (EOF) descriptors, using Figure 7-11 in

your discussion:

4. Define clumps as groups of contiguous allocation blocks. Clumps are used to reduce

fragmentation.

5. Discuss the following terms and their functions on a Mac OS:

a. Boot blocks

b. Master Directory Block (MDB) or Volume Information Block (VIB)

Forensic Procedures in Mac

1. Discuss some of the differences between the Linux and Mac OS X file systems:

• Linux has the /home/username and /root directories

2. Emphasize that for forensics procedures in Mac OS X, you must know where file

3. Discuss plist files, which are preference files for installed applications on a system.

4. Mention that FileVault, introduced with version 10.3, is used to encrypt and decrypt a

5. Discuss keychains, which are used to manage passwords for applications, Web sites,

and other system files.

6. Explain that to examine a Mac computer, you need to make an image of the drive. A

8. Explain that BlackBag Technologies sells acquisition products specifically designed for

OS 9 and earlier as well as OS X. For example, MacQuisition is a forensic boot CD that

Teaching

You can get a copy of MacQuisition at its official Web site:

9. Explain that after making an acquisition, the next step is to examine the image of the

file system. The tool you use depends on the format of the image file.

10. If you made a raw format image, you can use any of the following tools:

a. BlackBag Technologies Mac Forensic Software (OS X only)

12. Mention that being able to turn off the mount function in OS X allows you to connect a

Guide to Computer Forensics and Investigations, Fifth Edition 7-7

Using Linux Forensics Tools

1. Mention that most commercial computer forensics tools can analyze Ext2, Ext3, Ext4,

2. Define Foremost as a freeware carving tool that can read many image file formats. It

has a configuration file called foremost.conf.

4. Use Figures 7-12 and 7-13 to explain how to install Sleuth Kit and Autopsy.

5. Use Figures 7-14 and 7-15 to describe how to use Sleuth Kit and Autopsy Browser to

analyze an older Linux file system.

Quick Quiz 2

1. Mac OS X is built on a core called _____, which consists of a Berkeley Software

Distribution (BSD) UNIX application layer built on a Mach microkernel.

2. The _____ typically contains data the user creates, such as text or spreadsheets.

3. In Mac, a group of consecutive logical blocks is known as a(n) _____.

4. The _____ is used to store any file information not in the MDB or a VCB.

5. Since Mac OS 8.6, _____ have been used to manage passwords for applications, Web

sites, and other system files.

Guide to Computer Forensics and Investigations, Fifth Edition 7-8

Class Discussion Topics

1. Ask students to compare HFS+, Ext3fs, and NTFS. Ask your students to choose which

they consider the most reliable file system and justify their answers.

2. Ask students to compare inodes used in Linux and NTFS. Are they the same? If not,

which one is better?

Additional Projects

2. Ask students to investigate the following tools and report on the different features

offered in each:

Additional Resources

1. Mac Hierarchical Filesystem – HFS:

2. BlackBag Technologies:

3. UNIX/Linux Web sites:

a. OpenBSD, www.openbsd.com/

4. Ext2fs Home Page:

5. inode:

6. Foremost:

Guide to Computer Forensics and Investigations, Fifth Edition 7-9

Key Terms

➢ allocation block — In the Mac file system, a group of consecutive logical blocks

➢ clumps — In the Mac file system, groups of contiguous allocation blocks. Clumps are

used to keep file fragmentation to a minimum.

➢ data block — A block in the Linux file system where directories and files are stored on

a drive.

➢ data fork — The part of a Mac file containing the file’s actual data, both user-created

placed in the extents overflow file. Any file extents not in the MDB or a VCB are also

contained in this file. See also catalog, Master Directory Block (MDB), and Volume

Control Block (VCB).

➢ Fourth Extended File System (EXT4) — A Linux file system that added support for

partitions larger than 16 TB, improved management of large files, and offered a more

superblock and consist of a grouping of inodes. See also inodes.

➢ inodes — A key part of the Linux file system, these information nodes contain

descriptive file or directory data, such as UIDs, GIDs, modification times, access times,

creation times, and file locations.

Guide to Computer Forensics and Investigations, Fifth Edition 7-10

➢ Master Directory Block (MDB) — On older Mac systems, the location where all

volume information is stored. A copy of the MDB is kept in the next-to-last block on

the volume. Called the Volume Information Block (VIB) in HFS+.

➢ physical EOF — In the Mac file system, the number of allocation blocks assigned to a

file.

➢ tarball — A highly compressed data file containing one or more files or directories and

their contents.

➢ Third Extended File System (Ext3) — A Linux file system that made improvements

to Ext2, such as adding journaling as a built-in file recovery mechanism.

➢ triple-indirect pointers — The inode pointers in the third layer or group of an OS.