On 20/07/16 17:04, Pino Toscano wrote:|
Current focus is deleted/unaccessible files retrieval as I believe this is the most interesting feature for libguestfs users.Hi, On Sunday, 17 July 2016 20:40:18 CEST Matteo Cafasso wrote:v2: - Rebase on top of master Matteo Cafasso (2): New API: download_blocks Added download_blocks API test daemon/sleuthkit.c | 41 ++++++++++++++++++++++++++- generator/actions.ml | 24 ++++++++++++++++ gobject/Makefile.inc | 2 ++ src/MAX_PROC_NR | 2 +- tests/tsk/Makefile.am | 1 + tests/tsk/test-download-blocks.sh | 58 +++++++++++++++++++++++++++++++++++++++ 6 files changed, 126 insertions(+), 2 deletions(-) create mode 100755 tests/tsk/test-download-blocks.shThe series LGTM, I pushed it after removing the extra change in do_download_inode and fixing the version. More a curiosity question than a complain or something else: how are these APIs are supposed to be used? What is the forensics-related workflow using them?
A forensic workflow example would be:
* start libguestfs and identify the disk partition where your data is
* run filesystem_walk to get list of files which are visible within that disk partition
* if the deleted file you want to recover is in that list, you'll get its inode
* use download_inode to try recovering the deleted file
For Ext3+ filesystems the thing is a bit more complicated. These filesystems remove the block links when the file gets deleted making its recovery more difficult. Only choice is carving out the data and download_blocks is the function which allows you to do so. What the User needs is an API capable of mapping disk blocks to files and then he/she will be able to recover them using download_blocks.
Most of the APIs I am introducing are inspired from TSK ones. Here's a more detailed example on how to retrieve deleted data from disks.
Afterwards, we could focus on more interesting topics such as evidence gathering and forensics analysis. Automating it is a challenging topic as most of the "evidence reconstruction" requires careful thinking as the data might have been tampered or obfuscated.
Yet there are quite interesting features we can add which could support forensic analysis as well as cloud security solutions. Think about libguestfs scanning Open Stack instance disks to detect anomalies within cloud deployments. libguestfs is the perfect tool as it easily allows to abstract both the disk virtualisation technology (qcow2, vmdk etc..) and the guest Operating System.
You can find an example on libguestfs-based VM scanning solution in here:
If you check the "timeline" command implementation, you'll find few of the new APIs in use.
Considering they are quite specific, I was thinking about adding a documentation paragraph and/or some example to describe/show them better, what do you think?
This is a good question, I was thinking about a blog post to start with but a paragraph in the documentation sounds good as well. Let me know if you need help for that, I can provide some real-life example.