First page Back Continue Last page Summary Graphics

The HoneyNet Forensic Challenge --Analysis & Findings

Disk Inode Analysis and Recovery with debugfs
debugfs 'dump' subcommand used to recover the data blocks from an inode
'file' command used to determine type, then
to display contents:
- 'strings' used on binaries
- 'cat' used on text
- 'od' used on data

Notes:

Once the type of file is known, regular commands can be used to further determine the name of the recovered file. For example, in hda5 inode 109791 is a tar archive. By simply issuing a 'tar -tf' against this we can determine the archive is 'ssh-1.2.27'. Similarly, because hda5 inode 109865 is an RPM file, a
'rpm -qlip' reveals the package is
nfs-utils-0.1.9.1-1.

The HoneyNet Forensic Challenge --Analysis & Findings

Disk Inode Analysis and Recovery with debugfs

debugfs 'dump' subcommand used to recover the data blocks from an inode

'file' command used to determine type, then

to display contents:

Notes: