(120804) #fitalk advanced mac os forensics (hfs+ filesystem)

  • View
    58

  • Download
    5

Embed Size (px)

Text of (120804) #fitalk advanced mac os forensics (hfs+ filesystem)

  • SangJun Jeon

    heros86@korea.ac.kr

    DFRC@Korea University

    HFS+ File system

  • 2/40

    HFS+ File System

    HFS+ File System

  • 3/40

    HFS+ File System

    HFS Filesystem

    UFS

    (255)

    HFS+ Filesystem

    Mac OS X

    CD-ROM

    HFS

  • 4/40

    Raw

    MAC OS X Target Disk Mode

    FireWire

    Mac OS X auto mount

    /usr/sbin/diskarbitrationd

    T

    Target Disk Mode

    Support to Mac OS X or OS8/OS9

    FireWire

  • 5/40

    Raw

    Net cat DD

    XP ( )

    12345 Open

    \>nc -w 10 -Lvp 12345 > Mac.dd

    Mac (Client )

    $sudo dd if=/dev/disk1 bs=1024 | nc 163.152.165.109 12345

  • 6/40

    Sleuthkit 3.1.0 hfs

    sleuth kit .

    disk

    Raw

  • 7/40

    EFI Disk label

    FTK Imager , HFS+ Volume

    HFS+ Volume

    Raw

  • 8/40

    Basic Structure

    Smartphone Forensics(iPhone)

  • 9/40

    Reserved (1024 bytes)

    Volume Header

    data

    Allocation File

    data

    Extents overflow File

    data

    Catalog File

    data

    Attributes File

    data

    Startup File

    data

    Alternate Volume header

    Rerserved (512 bytes)

    - Boot Block . OS Boot

    -Mac OS Finder .

    HFS+ Signature, , , / , Catalog file

    .

    flag

    Fork .

    / . B-Tree

    .

    B-Tree ( )

    Volume header

    HFS+

  • 10/40

    Volume Header struct HFSPlusVolumeHeader {

    UInt16 signature; //2byte

    UInt16 version; //2byte

    UInt32 attributes; //4byte

    UInt32 lastMountedVersion; //4byte

    UInt32 journalInfoBlock; //4byte

    UInt32 createDate; //4byte

    UInt32 modifyDate; //4byte

    UInt32 backupDate; //4byte

    UInt32 checkedDate; //4byte

    UInt32 fileCount; //4byte

    UInt32 folderCount; //4byte

    UInt32 blockSize; //4byte

    UInt32 totalBlocks; //4byte

    UInt32 freeBlocks; //4byte

    UInt32 nextAllocation; //4byte

    UInt32 rsrcClumpSize; //4byte

    UInt32 dataClumpSize; //4byte

    HFSCatalogNodeID nextCatalogID; //4byte

    UInt32 writeCount; //4byte

    UInt64 encodingsBitmap; //8byte

    UInt32 finderInfo[8]; //32byte

    HFSPlusForkData allocationFile; //80byte

    HFSPlusForkData extentsFile; //80byte

    HFSPlusForkData catalogFile; //80byte

    HFSPlusForkData attributesFile; //80byte

    HFSPlusForkData startupFile; //80byte

    }; typedef struct HFSPlusVolumeHeader HFSPlusVolumeHeader;

    HFS+

  • 11/40

    HFSPlusForkData

    struct HFSPlusForkData {

    UInt64 logicalSize; //8byte

    UInt32 clumpSize; //4byte

    UInt32 totalBlocks; //4byte

    HFSPlusExtentDescriptor extents; //64byte

    }; typedef struct HFSPlusForkData HFSPlusForkData; //80byte

    HFS+

    112byte data

    Allocation File(80byte)

    Extents File(80byte)

    Logical Size (8byte) Clump Size (4byte) Total Blocks(4byte)

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Attributes File(80byte)

    Startup File(80byte)

  • 12/40

    HFSPlusExtentDescriptor

    typedef HFSPlusExtentDescriptor HFSPlusExtentRecord[8]; //8byte

    struct HFSPlusExtentDescriptor {

    UInt32 startBlock; //4byte

    UInt32 blockCount; //4byte

    }; typedef struct HFSPlusExtentDescriptor HFSPlusExtentDescriptor;

    HFS+

    112byte data

    Allocation File(80byte)

    Extents File(80byte)

    Logical Size (8byte) Clump Size (4byte) Total Blocks(4byte)

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Attributes File(80byte)

    Startup File(80byte)

  • 13/40

    Volume Header

    112byte data

    Allocation File(80byte)

    Extents File(80byte)

    Logical Size (8byte) Clump Size (4byte) Total Blocks(4byte)

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Attributes File(80byte)

    Startup File(80byte)

    HFSPlusExtentDescriptor

    HFSPlusForkData

    HFS+

  • 14/40

    HFS+ Volume Header

    112byte data

    Allocation File(80byte)

    Extents File(80byte)

    Logical Size (8byte) Clump Size (4byte) Total Blocks(4byte)

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Start Block Block Count Start Block Block Count

    Attributes File(80byte)

    Startup File(80byte)

    $CatalogFile

    HFS+

  • 15/40

    Catalog File

    First leafnode pointer Root node pointer Last leaf node pointer

    8 pointer 16 pointer

    16 pointer 20 pointer 23 pointer

    13 data 8 data 10 data 20 data 21 data 23 data

    8 pointer 13 pointer

    16 data

    Header Node

    Index Node

    Index Node

    Leaf Node

    HFS+

  • 16/40

    Catalog File

    Smartphone Forensics(iPhone)

  • 17/40

    HFS+ Volume Header

    $CatalogFile

    Logical block Clump size Total Blocks

    Start Block Num of Block

    Catalog File(Find Root Node)

  • 18/40

    Find catalog header (Volume headercatalogfilestartblock) * (Volume headerblocksize) = catalog header offset

    Volume Header

    Block Size = Offset 41~44

    CatalogFile attribute = offset 273~352

    Block Size

    Start Block

    0x1000 * 0x8678 = 0x8678000

    Catalog File(Find Root Node)

  • 19/40

    File Header

    Reserved Area(14 Byte)

    Header

    Catalog File(B-tree)

  • 20/40

    Header

    Depth

    Root Node leafRecords firstLeafNode

    lastLeafNode

    Node Size

    maxKeyLen TotalNodes freeNodes

    Catalog File(Find Root Node)

  • 21/40

    Find root node

    Root Node

    Node Size

    0xEE * 0x2000 = 0x1DC000

    0x8678000 + 0x1DC000 = 0x8854000

    Catalog File(Find Root Node)

  • 22/40

    The Root Node

    Smartphone Forensics(iPhone)

    Catalog File(Find Root Node)

  • 23/40

    Node Structure (Index & Leaf node)

    Node descriptor

    Record 0

    Record 1

    Free Space

    Offset to free space

    Offset to record 1

    Offset to record 0

    Value kind

    -1 Leaf node

    0 Index node

    1 Header node

    2 Map node

    Catalog File(Root Node)

  • 24/40

    Node Structure sample

    Node Descriptor of root node

    flink blink type

    height

    Num of Record

    reserved

    Catalog File(Root Node)

  • 25/40

    Index node

    Offset to Recordn = node[nodesize - (n + 1) * 2];

    Offset to record 0 Offset to record 1

    Key length

    Parent Node Id Key name length

    Key name

    Child pointer

    Catalog File(Root Node)

  • 26/40

    Leaf node

    Offset to record 0 Offset to record 1

    flink

    Record type

    Value kind

    1 Forder

    2 File Parent Node Id

    Key name length Key length

    Catalog File(Root Node)

  • 27/40

    Catalog File (Node Traverse)

    Find root node

    Index node or leaf node

    Traverse start!

    Index node

    Record

    Next node = child node(pointer)

    Leaf node

    Record

    Next node = next leaf node(flink)

  • 28/40

    Node Traverse

    Index Node POP

    PUSH all child node

    Leaf Node POP

    Read Record

    0

    2 1

    4 3 2

    7 6 5 4 3

    9 8 7 6 5 4

    10 9 8 7 6 5

    11 10 9 8 7 6

    13 12 11 10 9 8 7

    14 13 12 11 10 9 8

    14 13 12 11 10 9

    POP 0

    POP 1

    POP 2

    POP 3

    POP 04

    POP 5

    POP 6

    POP 7

    POP 9

    0

    1 2

    3 4 5 6 7

    8 9 10 11 12 13 14

    QUEUE flow:

    Catalog File (Node Traverse)

  • 29/40

    Data Extract

    Smartphone Forensics(iPhone)

  • 30/40

    Data Extract

    (by CNID)

    Leaf record

    Offset to record 0 Offset to record 1

    flink

    Record type

    Value kind

    1 Forder

    2 File Parent Node Id

    Key name length Key length

  • 31/40

    (by CNID)

    Leaf record

    88 byte

    Data Extract

  • 32/40

    Sleuthkit icat

    Data Extract

  • 33/40

    Deleted File

    Smartphone Forensics(iPhone)

  • 34/40

    Cdto_2.3.zip cnid = 341343

    FilenoriSetup.exe cnid = 343124

    PurpGuy.gif cnid = 809