similar to: Libguestfs as filesystem forensic tool

On 02/03/16 17:53, Richard W.M. Jones wrote: > On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote: >> Greetings, >> >> I am playing around with the idea of using libguestfs as a forensic >> tool to investigate VM disk images. >> >> Some use cases as example: >> * Sandbox for malware analysis. >> * Incident response in cloud environments.

On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote: > Greetings, > > I am playing around with the idea of using libguestfs as a forensic > tool to investigate VM disk images. > > Some use cases as example: > * Sandbox for malware analysis. > * Incident response in cloud environments. > > Libguestfs is a precious resource in this case as it allows to >

On 02/03/16 18:24, Richard W.M. Jones wrote: > On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote: >> One of the patches I'm talking about would add TSK (The Sleuth Kit) >> as a dependency within the appliance. >> >> This would bring new APIs such as: >> 'fls' more powerful 'ls' command allowing to get list of deleted >> files or

As discussed in the topic: https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit. http://www.sleuthkit.org/ The two APIs I'm adding with the patch are a simple example of which type of features TSK can enable. The icat API it's very similar to the previously added ntfscat_i but it

The Sleuth Kit is a filesystem forensic tool for accessing disk volumes and extracting digital evidence from. http://www.sleuthkit.org/ The icat API allows to download a file from a device given its metadata number (inode). It supports multiple filesystem types. The icat command allows to access to otherwise unreachable files such as filesystem data structures and deleted files which content is

On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote: > One of the patches I'm talking about would add TSK (The Sleuth Kit) > as a dependency within the appliance. > > This would bring new APIs such as: > 'fls' more powerful 'ls' command allowing to get list of deleted > files or timelines at a given path. > 'icat' similar to ntfscat-i but it

Hi, I've a nasty feeling I know the answer to this post, but I'm gonna ask and pray anyway :-) I just made a rather stupid commandline ordering error and managed to delete a whole load of data (mostly word files/some pics fwiw) with rsync -delete. I know, I'm an idiot (and a big one at that). To make matters worse this was off an ext3 partition, which from what I can find out

Thanks, I have pushed this patch series. Could you consider changing: > + optional = Some "icat"; I think it would be nice to have a single feature, and to call the feature "sleuthkit" or "forensics" or something like that. We don't need to have one feature per API since installation of a single package (sleuthkit) is sufficient to make all the APIs

v5: - fixed compile-time warning - removed unused flag enumeration - new version 1.33.19 Patch ready for review. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check New API: internal_filesystem_walk New API: filesystem_walk lib: Added filesystem_walk command tests daemon/Makefile.am | 4 +- daemon/tsk.c

v4: - Changed tsk_allocated struct field into tsk_flags. - Added optional dependency in documentation. - Use asprintf and perror instead of asprintf_nowarn and fprintf. - Ensure CLEANUP_FREE vars are initialised. - Reworked the function documentation. - Improved tests robustness. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check

v7: - iterate over output file instead of reading it into memory Instead of reading the whole output file in memory and iterating over the resulting buffer, use XDR primitives to directly iterate over the file itself. This should reduce the API memory consumption. Patch ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/filesystem_walk Matteo Cafasso

v6: - added metadata reallocation flag in tsk_flags Certain filesystems separate file name structures and metadata ones. Therefore, deleted entries with file name structures in an unallocated state might point to metadata structures which have been reallocated to new files. A flag set to 1 is generally an indication that the information gathered from the metadata structure (file

On 07/03/16 13:29, Richard W.M. Jones wrote: > On Sun, Mar 06, 2016 at 05:42:24PM +0200, Matteo Cafasso wrote: >> As discussed in the topic: https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html >> >> I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit. >> http://www.sleuthkit.org/ >> >> The two APIs

v2: - Rebase on top of master Matteo Cafasso (2): New API: download_blocks Added download_blocks API test daemon/sleuthkit.c | 41 ++++++++++++++++++++++++++- generator/actions.ml | 24 ++++++++++++++++ gobject/Makefile.inc | 2 ++ src/MAX_PROC_NR | 2 +- tests/tsk/Makefile.am | 1 +

The ffind API allows to retrieve a file name from a device given its inode. The function returns a struct "tsknode" which contains the file name, its inode and it's allocation status. The struct will be employed by other APIs as well (fls, ifind etc..). $ ./run guestfish --ro -a /home/noxdafox/disks/ubuntu.qcow2 ><fs> run ><fs> ffind /dev/sda1 2 tsk_name: /

The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same go I cleaned up a bit the code following the standards and improved the API documentation. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (3):

v3: - File size will be reported as - 1 if it cannot be retrieved. - Code improvements based on comments. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check daemon: Added internal_filesystem_walk command appliance: Added filesystem_walk command appliance: Added filesystem_walk command tests daemon/Makefile.am | 4 +-

"icat" name comes from the employed command line tool which might be replaced later on with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same time I cleaned up a bit the code and improved it's readability and code comments. This

v8: - rebase on master - bump version to 1.33.37 - squash commits 1, 2, 3 Kept original commits messages when squashing them. Matteo Cafasso (3): New API: internal_filesystem_walk New API: filesystem_walk lib: Added filesystem_walk command tests daemon/Makefile.am | 4 +- daemon/tsk.c | 249 ++++++++++++++++++++++++++++++++++++++

v9: - add missing files: java/Makefile.inc, java/com/redhat/et/libguestfs/.gitignore, gobject/Makefile.inc - reserve space in tsk_dirent struct for future usage - use int instead of bool_t type - improve API documentation Matteo Cafasso (3): New API: internal_filesystem_walk New API: filesystem_walk lib: Added filesystem_walk command tests daemon/Makefile.am