Unit 3: Unix/Linux File System 3.1 Unix/Linux File System Booting Process

>> After acquiring and then preserving the pertinent evidence,
we move on to analyzing the Linux UNIX images.

在获取并保存相关证据之后，我们将继续分析Linux UNIX映像。

As mentioned earlier, forensic analysis tools can usually take a partition
or an acquired disk image as input to work on both images in live systems.

如前所述，法医分析工具通常可以将分区或获取的磁盘映像作为输入，以便在活动系统中同时处理这两个映像。

Most importantly, these tools usually bypass kernel's normal operations
to display deleted content and other data that is typically inaccessible.

最重要的是，这些工具通常绕过内核的常规操作来显示删除的内容和其他通常不可访问的数据。

Therefore, to know how these forensic analysis tools work, investigators have
to understand filesystems completely.

因此，为了了解这些法医分析工具是如何工作的，研究人员必须完全理解文件系统。

When you present your findings, you have to answer questions such as why
and how you recovered deleted and other hidden data.

当你展示你的发现时，你必须回答诸如为什么以及如何恢复被删除和其他隐藏数据等问题。

In this unit, we will review filesystem basics that will help you
to understand how forensic analysis tools are able to retrieve data
that is typically inaccessible by normal users.

在本单元中，我们将回顾文件系统的基础知识，这些知识将帮助您理解法医分析工具如何检索一般用户通常无法访问的数据。

Let's look at the booting process first.

让我们先看看引导过程。

The BIOS and MBR partitioning scheme was developed in the early 1980's by IBM Personal Computers.

BIOS和MBR分区方案是在20世纪80年代早期由IBM个人计算机开发的。

The basic input/output system short for BIOS starts power on self-test.

基本的输入/输出系统(简称BIOS)在自我测试时启动电源。

Searches, loads, and executes the boot loader following the BIOS boot sequence.

按照BIOS引导顺序搜索、加载和执行引导加载程序。

Commonly, BIOS loads and executes the mas boot record, boot loader.

通常，BIOS加载并执行mas引导记录，引导加载程序。

MBR is always located in sector zero of the drive and it contains the initial boot code
and the disk partition information.

MBR总是位于驱动器的扇区0中，它包含初始引导代码和磁盘分区信息。

In the 1990's, Intel introduced EFI boot framework.

在20世纪90年代，Intel引入了EFI引导框架。

EFI stands for extensible firmware interface to especially support larger disk spaces.

EFI代表可扩展固件接口，尤其支持更大的磁盘空间。

EFI uses globally unique identification partition known as GPT and jumps
to EFI system partition to begin the initial boot strapping.

EFI使用称为GPT的全局惟一标识分区，并跳转到EFI系统分区开始初始引导打包。

While MBR can only have four primary partitions, GPT can support up to 128 primary partitions
on a GPT disk.

虽然MBR只能有四个主分区，但是GPT磁盘上最多可以支持128个主分区。

If you are interested in GPT forensic analysis, I introduce two reference papers in the PowerPoint
slides.

如果你对GPT法医分析感兴趣，我将在幻灯片中介绍两篇参考文献。

Now let's take a close look at the MBR structure.

现在让我们仔细看看MBR结构。

MBR is always 512 bytes and it is created when the disk is partitioned.

MBR总是512字节，它是在磁盘分区时创建的。

The MBR contains 446 bytes of executable code called mas boot code.

MBR包含446字节的可执行代码，称为mas引导代码。

Two bytes of the MBR signature and the 64-bytes partition table information.

两个字节的MBR签名和64字节的分区表信息。

The MBR signature is always set to the hex 55AA, which marks the end of MBR.

MBR签名总是设置为十六进制55AA，这标志着MBR的结束。

If you add those bytes together, 446 plus 64 plus two,
you will end up get 512 bytes in total.

如果你把这些字节加起来，446加64加2，你最终会得到总共512个字节。

The disk signature, a unique number at offset 01B8 identifies the disk to the
operating system.

磁盘签名(位于偏移量01B8的惟一数字)将磁盘标识到操作系统。

The partition table contains four primary partition entries.

分区表包含四个主分区项。

Each partition entry uses 16 bytes to specify the starting and ending position
in cylinder-head-sector for each partition as well
as the active flag indicating whether the partition is active for booting or not.

每个分区条目使用16字节指定每个分区在柱头扇区中的开始和结束位置，以及指示分区是否启动的活动标志。

Once it has identified the active partition, MBR will load a copy of the boot sector
from the active partition into memory and transfer control to the executable code
in the boot sector of the active partition.

一旦确定了活动分区，MBR将从活动分区将引导扇区的副本加载到内存中，并将控制权转移到活动分区引导扇区中的可执行代码。

Let's see what this looks like.

我们看看这是什么样子。

EnCase Forensic from Guidance Software is one
of the most sophisticated computer forensic tools on the market.

从引导软件封装法医是市场上最复杂的计算机法医工具之一。

EnCase's disk view feature visually display where the data blocks of files
and the directories appear on the disk and whether the blocks are allocated or unallocated.

EnCase的磁盘视图功能可以直观地显示文件和目录的数据块出现在磁盘上的位置，以及这些块是分配的还是未分配的。

In this video, I will use this feature to show you the partition information reside
in our master boot record.

在这个视频中，我将使用这个特性向您展示驻留在主引导记录中的分区信息。

The screen you're seeing is my virtual machine, Windows 7.

你看到的屏幕是我的虚拟机Windows 7。

If I choose disk-- so this is disk looking-- it say click on that.

如果我选择disk，这是disk looking，它会说，点击那个。

If you click on disk view, it will brings us to the disk view of my Windows 7.

如果你点击磁盘视图，它会把我们带到我的Windows 7的磁盘视图。

Now, each square represent one sector and this is 512 bytes.

现在，每个正方形代表一个扇区，这是512字节。

The first one, the first sector on the first cylinder-- on the first--
that first sector is always mas boot record on the disk.

第一个，第一个圆柱体上的第一个扇区——第一个扇区——总是磁盘上的mas引导记录。

On the disk.

在磁盘上。

We will come back to looking into this 512 bytes mas boot record.

我们将回过头来研究这个512字节的mas引导记录。

If we look at the other ones, those all gray.

如果我们看其他的，这些都是灰色的。

Now, this first one is supposed-- should have shown color because it is a mas boot record.

现在，第一个应该显示颜色，因为它是一个mas引导记录。

The gray color-- the other ones, it's on the same tack, but should have nothing in that
because the first track-- only the first sector is used.

灰色的，其他的，在相同的大头针上，但应该没有什么，因为第一个轨道，只有第一个扇区被使用。

The rest of that track-- the rest of the sectors will never be used.

这条轨道的其余部分——其余部分永远不会被使用。

If you move down, you will see the first active partition and then the red part--
the red part of all those sectors, this belongs to volume boot.

如果向下移动，您将看到第一个活动分区，然后是红色部分——所有这些扇区的红色部分，这属于卷引导。

The blue color, the other ones, those are all allocated.

蓝色的，其他的，这些都被分配了。

If you click down-- if you click on that, it has some value into it

and actually one the bottom even tells you which file this sector belongs to.

如果你点击-如果你点击那个，它会有一些值实际上底部的那个会告诉你这个扇区属于哪个文件。

So, the sector currently I clicked, it is-- belongs to the boot.

我点击的扇区，属于引导。

If I click on some other ones, this is dollar sign secure system files.

如果我点击其他一些，这是美元符号安全系统文件。

Those are all allocated and then the other one,
like for example the gray one, those are unallocated.

这些都被分配了另一个，比如灰色的，那些都没有分配。

So, it contains some historical data, but currently is not in use.

因此，它包含一些历史数据，但目前没有使用。

So, this is a great way to see your disk and what are the blocks in use
and what are the blocks-- it's unallocated at this point.

这是一种很好的方式来查看磁盘，以及正在使用的块是什么，以及这些块是什么，此时它是未分配的。

Now, let's go back to the mas boot record because that's the one we are interesting
to look into it.

现在，让我们回到mas引导记录，因为这是我们感兴趣的。

If you'll recall, we talked about mas boot record in the lecture.

大家还记得吗，我们在课上讲过mas引导记录。

This is 512 bytes and then if we-- here we have-- we can show different views.

这是512字节，然后如果我们——这里我们有——我们可以显示不同的视图。

This is a text view and a hex view.

这是一个文本视图和一个十六进制视图。

So, if we look at the hex view, if we look into it, and at the last couple bytes is a
signature.

如果我们看十六进制视图，如果我们看它，最后几个字节是一个签名。

I have discussed it in the lecture.

我在讲座中已经讨论过了。

It's always hex 55AA, 55AA.

总是十六进制55AA, 55AA。

If you see a sector which is end with 55AA, that's possible to be a mas boot-- mas boot
record.

如果你看到一个扇区以55AA结束，那可能是一个mas引导——mas引导记录。

Now, if you look at the text here, most of that certainly is unreadable, but then
you can read something.

现在，如果你看这里的文字，大部分都是不可读的，但是你可以读一些东西。

Like here see invalid partition at-- this is error message.

比如这里，看到无效分区，这是错误消息。

If they-- if cannot load, then this message will shown up.

如果它们——如果无法加载，则会显示此消息。

Now, we are interested in to see the partition information from mas boot record.

现在，我们感兴趣的是从mas引导记录中看到分区信息。

So, partition information starts from byte 446.

所以，分区信息从字节446开始。

So, if I right-click and I said go to 54-- 446.

右键点击54- 446。

It's little-endian.

这是低位优先。

Four-forty-six.   446

OK.

It will brings me to the 446-- byte 446.

它会把我带到446字节。

Now, I highlight to-- because total is 64 bytes to represent the partition information,
so I will swipe to-- which to-- 64.

现在，我突出显示到——因为total是64字节来表示分区信息，所以我将滑动到——哪个——64。

How do I know?

我怎么知道?

See the number here?

看到这里的数字了吗?

Length 64.

长度为64。

That's-- I swiped 64 bytes.

我刷了64字节。

Then I said-- sorry-- got lost here.

然后我说——对不起——在这里迷路了。

So, I need to have 64 then I do decode.

所以，我需要64，然后我解码。

Decode for which information?

解码哪些信息?

I want to see-- this is actually partition information,
so I said this is Windows partition entry.

这是分区信息，这是Windows分区条目。

Now you have seen here, this is the partition information show up from the mas boot record.

现在您已经看到了，这是从mas引导记录中显示的分区信息。

We have NTFS and 80, which means bootable.

我们有NTFS和80，这意味着可引导。

And then here is the starting point and then the ending point.

这是起点，这是终点。

Total size. 总大小。

And then here is another partition.

这是另一个分区。

It's NTFS and this is not bootable, it's zero zero.

它是NTFS，这是不可引导的，它是0 0。

OK?

So, the first partition is bootable and the second partition is not bootable
and you can see it's a starting point of this partition and then the ending point
for this partition and where does the cluster really started and then the size.

所以，第一个分区是可引导的，第二个分区是不可引导的，你可以看到它是这个分区的起点，然后是这个分区的终点，集群真正从哪里开始，然后是大小。

Total there are four primary partitions.

总共有四个主分区。

So, using EnCase Forensic, you are able to interpret this mas boot record and then to
see where are the partitions information reside.

因此，使用EnCase Forensic，您可以解释这个mas引导记录，然后查看分区信息驻留在何处。

OK.

So, hopefully you can connect this information with the lecture information.

希望你们能把这些信息和课堂信息联系起来。

 

转载于:https://www.cnblogs.com/sec875/articles/10013598.html