[Libguestfs] [PATCH 0/2] added icat and fls0 APIs for deleted files recovery

Matteo Cafasso noxdafox at gmail.com
Sun Mar 6 15:42:24 UTC 2016 

As discussed in the topic: https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html

I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit.
http://www.sleuthkit.org/

The two APIs I'm adding with the patch are a simple example of which type of features TSK can enable.

The icat API it's very similar to the previously added ntfscat_i but it works with multiple filesystem types and has an interesting added value: it can extract deleted files. The end result heavily depends on the filesystem internals and on how much it has been used. On FAT, Ext2 and NTFS it can recover part or the whole file pretty easily as long as it's sectors have not been overwritten by others. For Ext3 and Ext4 it's a bit more difficult, usually data carving is more effective in these cases. I haven't tested on other filesystems.

The fls0 API works similar to find but it returns more information such as the files/directories metadata addresses (inodes) and whether the files are allocated (in use) or not (deleted). Later on I will add more fine grained APIs such as fls0-d for showing only deleted files and fls0-m which reports the creation/access/deletion timestamps. I might need some help for the related fls API not relying on an external file.

A concrete example on a Windows 7 disk image.

$ ./run guestfish --ro -a /home/noxdafox/disks/win7clone.qcow2

><fs> run

There's no need to mount the disks as TSK reads the raw data structures of the filesystems.

><fs> fls0 /dev/sda2 /home/noxdafox/disk-content.txt

r/r 15711-128-1:        $Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/desktop.ini
-/r * 60015-128-1:      $Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/$R07QQZ2.txt
-/r * 60015-128-3:      $Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/$R07QQZ2.txt:Zone.Identifier

We can see the content of the recycle bin where I trashed and deleted a readme.txt file (renamed as $R07QQZ2.txt).
The asterisk (*) shows the file is not allocated and it has been deleted from the disk.
We can see its inode number (60015) which means the inode has not been recycled yet so there's quite a good chance we can recover it.

><fs> icat /dev/sda2 60015 /home/noxdafox/recovered.txt

The file gets fully recovered in my home directory. The correct sha1 proves the recover was 100% successful.

I decided to add these APIs because they cover a use case I think libguestfs could immediately benefit from. With TSK tools is possible to do more in depth disk analysis to quickly discover hiddend partitions (malware rootkits) or hidded data in unallocated sectors.

Matteo Cafasso (2):
  added icat and fls0 APIs
  added icat and fls0 APIs tests

 Makefile.am              |   1 +
 appliance/packagelist.in |   3 ++
 configure.ac             |   1 +
 daemon/Makefile.am       |   1 +
 daemon/tsk.c             | 122 +++++++++++++++++++++++++++++++++++++++++++++++
 generator/actions.ml     |  33 +++++++++++++
 po/POTFILES              |   1 +
 src/MAX_PROC_NR          |   2 +-
 tests/tsk/Makefile.am    |  27 +++++++++++
 tests/tsk/test-fls0.sh   |  55 +++++++++++++++++++++
 tests/tsk/test-icat.sh   |  53 ++++++++++++++++++++
 11 files changed, 298 insertions(+), 1 deletion(-)
 create mode 100644 daemon/tsk.c
 create mode 100644 tests/tsk/Makefile.am
 create mode 100755 tests/tsk/test-fls0.sh
 create mode 100755 tests/tsk/test-icat.sh

--
2.7.0

More information about the Libguestfs mailing list