File System Analysis EXT2 - 1


Summary

This exercise directs the student to extract the Master Boot Record (MBR) from an image file and decode its partition table. Once the table has been deciphered, the student will extract a specified partition from the image, mount it read only, and map it with FTimes. The latter part of this exercise requires a Linux system configured with loopback support.


Requirements


Resources


Tasks

  1. Read 'How It Works: Partition Tables' and 'How It Works: Master Boot Record (MBR)'. Then, answer the following questions:

    1. Where is the MBR located (give answer in CHS format)?

    2. What size (in bytes) is the MBR?

    3. What is the structure (draw a picture) of a partition table entry?

    4. At what offsets, in the MBR, are each of the four partition entries located?

    5. At what offset, in the MBR, is the boot magic located?

    6. What is the purpose and value (in hex) of boot magic?

    7. What type values are commonly associated with extended, FAT, NTFS, Linux, and Linux swap partitions?

    8. How many extended partitions may be defined in the MBR? What is the de facto standard?

  2. Unpack 10ks.ext2.images.tgz in a suitable location (e.g., /tmp), find the file called 10ks.inuse.img, and extract its MBR.

    tar -C /tmp -zxf 10ks.ext2.images.tgz
    cd /tmp/10ks.ext2.images
    dd if=10ks.inuse.img of=10ks.inuse.mbr bs=512 count=1
      

  3. Use a hex viewer such as hexdump to display the contents of the MBR. Locate and decode the partition table. Use the following PARTITION structure and the GET_SECTOR and GET_CYLINDER macros to help you decode each entry.

    typedef struct _PARTITION
    {
      unsigned char       ucStatus;
      unsigned char       ucBHead;
      unsigned char       ucBSector; /* Low 6 bits */
      unsigned char       ucBCylinder;
      unsigned char       ucType;
      unsigned char       ucEHead;
      unsigned char       ucESector; /* Low 6 bits */
      unsigned char       ucECylinder;
      unsigned char       ucStartSector[4];
      unsigned char       ucSectorCount[4];
    } PARTITION;
    
    #define GET_SECTOR(ucSector) ((ucSector) & 0x3f)
    
    #define GET_CYLINDER(ucCylinder, ucSector) ((ucCylinder) + (((ucSector) & 0xc0) << 2))
      
    1. How many partitions have been defined?

    2. Which partition is active? Explain how you determined this.

    3. What file system type is assigned to the first partition?

    4. At what offset (in bytes) is the first sector of the first partition located in the image file?

    5. What is the size (in bytes) of the first partition?

  4. Use dd to extract the first partition from the image. Use the following command-line as a guide. Replace COUNT and SKIP with the appropriate values as determined from the results of the previous step.

    dd if=10ks.inuse.img of=p1.inuse.img bs=512 count=COUNT skip=SKIP
      

  5. Run the file command on 10ks.inuse.img and p1.inuse.img. What does it return? Does that information seem accurate? Explain.

  6. Compute and record the MD5 hash for p1.inuse.img.

    md5sum p1.inuse.img
      

  7. Mount p1.inuse.img as read only under /mnt on a Linux system configured with loopback support.

    losetup /dev/loop0 p1.inuse.img
    mount -r /dev/loop0 /mnt
      
    1. What are the advantages of mounting an image file as a file system?

    2. What is the purpose of the '-r' option? Why is that important?

  8. Map the mounted partition using FTimes using a FieldMask of 'all-magic'.

    ftimes --mapauto all-magic /mnt > baseline
      
    1. How many files were mapped?

    2. How many bytes were hashed?

    3. Provide a listing of each file mapped along with the following attributes: ctime, size, and md5. Show the commands used to create this list.

  9. Map the mounted partition again using the same FieldMask, and compare the two snapshots as follows:

    ftimes --mapauto all-magic /mnt > snapshot
    ftimes --compare all baseline snapshot -l 6
      
    1. Did the access times of any files or directories change? If yes, explain how that could happen.

  10. Unmount the image file and compute its MD5 hash again. Is the hash different? If yes, explain how that could happen.

    umount /mnt
    losetup -d /dev/loop0
    md5sum p1.inuse.img
      

  11. Cleanup your work area and remove any temporary files created during this exercise.


Challenges

  1. Write a C program to dump the contents of a single partition table.

  2. Modify this program to handle extended partitions.


Hints

  1. Sample config files are provided in the FTimes distribution.

  2. When using hexdump, the '-C' option can be used to display output in a combined Hex/ASCII format. If that option is not supported, then the following command-line and format specification will produce a similar result.

    hexdump -f hexfmt file
    
    --- hexfmt ---
    "%08.8_Ax\n"
    "%08.8_ax  "8/1 "%02x " "  " 8/1 "%02x "
    "  |" "%_p"
    "|\n"
    --- hexfmt ---
      


Warnings

  1. Remember to unmount loopback file systems and detach (losetup -d) image files when they are no longer needed.

  2. Depending on the hex viewer/editor being used, your offset calculations may need to be adjusted to compensate for any byte swapping that takes place.