[Libguestfs] [PATCH v2 0/2] Added download_blocks API

noxdafox noxdafox at gmail.com
Wed Jul 20 17:05:35 UTC 2016 

On 20/07/16 17:04, Pino Toscano wrote:
> Hi,
>
> On Sunday, 17 July 2016 20:40:18 CEST Matteo Cafasso wrote:
>> v2:
>>
>>   - Rebase on top of master
>>
>> Matteo Cafasso (2):
>>    New API: download_blocks
>>    Added download_blocks API test
>>
>>   daemon/sleuthkit.c                | 41 ++++++++++++++++++++++++++-
>>   generator/actions.ml              | 24 ++++++++++++++++
>>   gobject/Makefile.inc              |  2 ++
>>   src/MAX_PROC_NR                   |  2 +-
>>   tests/tsk/Makefile.am             |  1 +
>>   tests/tsk/test-download-blocks.sh | 58 +++++++++++++++++++++++++++++++++++++++
>>   6 files changed, 126 insertions(+), 2 deletions(-)
>>   create mode 100755 tests/tsk/test-download-blocks.sh
> The series LGTM, I pushed it after removing the extra change in
> do_download_inode and fixing the version.
>
> More a curiosity question than a complain or something else: how are
> these APIs are supposed to be used?  What is the forensics-related
> workflow using them?
Current focus is deleted/unaccessible files retrieval as I believe this 
is the most interesting feature for libguestfs users.

A forensic workflow example would be:
  * start libguestfs and identify the disk partition where your data is
  * run filesystem_walk to get list of files which are visible within 
that disk partition
  * if the deleted file you want to recover is in that list, you'll get 
its inode
  * use download_inode to try recovering the deleted file

For Ext3+ filesystems the thing is a bit more complicated. These 
filesystems remove the block links when the file gets deleted making its 
recovery more difficult. Only choice is carving out the data and 
download_blocks is the function which allows you to do so. What the User 
needs is an API capable of mapping disk blocks to files and then he/she 
will be able to recover them using download_blocks.

Most of the APIs I am introducing are inspired from TSK ones. Here's a 
more detailed example on how to retrieve deleted data from disks.
http://wiki.sleuthkit.org/index.php?title=FS_Analysis

Afterwards, we could focus on more interesting topics such as evidence 
gathering and forensics analysis. Automating it is a challenging topic 
as most of the "evidence reconstruction" requires careful thinking as 
the data might have been tampered or obfuscated.

Yet there are quite interesting features we can add which could support 
forensic analysis as well as cloud security solutions. Think about 
libguestfs scanning Open Stack instance disks to detect anomalies within 
cloud deployments. libguestfs is the perfect tool as it easily allows to 
abstract both the disk virtualisation technology (qcow2, vmdk etc..) and 
the guest Operating System.

You can find an example on libguestfs-based VM scanning solution in here:
https://github.com/noxdafox/vminspect

If you check the "timeline" command implementation, you'll find few of 
the new APIs in use.

> Considering they are quite specific, I was
> thinking about adding a documentation paragraph and/or some example
> to describe/show them better, what do you think?

This is a good question, I was thinking about a blog post to start with 
but a paragraph in the documentation sounds good as well. Let me know if 
you need help for that, I can provide some real-life example.

> Thanks,
>
>
> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://www.redhat.com/mailman/listinfo/libguestfs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20160720/30179f29/attachment.htm>

More information about the Libguestfs mailing list