I really need to get back into the habit of writing on here, so maybe a few words on the new non-Patch-Tuesday vulnerability is in order. I just got my MacBook back from warranty service yesterday, and was reading about this on Twitter as I was getting everything set back up. I’ll give you a few links that I’ve seen in my feed reader, Twitter, and IRC (shouts to #pauldotcom and #securabit on freenode), and a little commentary:
Tommorow at 8:00AM, I will be giving a lecture to the CSE 4273/6273 Computer Crime and Forensics class here at Mississippi State University. I was asked to speak on the topic of “Linux Filesystems”, and I have chosen to focus on the ext2 and ext3 filesystem data structures. The class is using the excellent “File System Forensic Analysis” by Brian Carrier as its textbook, so it’s a great opportunity to cover the chapters on ext2/3 (chapters 14 & 15).
It’s a 50-minute class, and pretty strictly so, since the Information and Computer Security class is held immediately afterwards . Due to the limited time I have, I’ve scaled back my coverage of these two chapters to what you see in the following slides. I’m focusing on the basic data structures used by “extx” to point at files and metadata, such as the superblock, group descriptor tables, and inodes. I’ve included an example of finding a file on a filesystem using only dd piped through xxd and less, and some discussion of what a forensic examiner or someone tasked with data recovery should be on the look-out for.
Unfortunately with this PDF version of the slides, you won’t see the slick Keynote animations I’ve worked into my lecture. I’m considering expanding the detail and coverage of this, and recording the slideshow as a video with narration for this site:
Edit: Wow, that filter really killed the screenshots, uploaded the full-res version