lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTinRrB1q7CSLs2POU36fygxe8CU5z8zNre6z9a3c@mail.gmail.com>
Date:	Tue, 26 Oct 2010 20:13:34 -0400
From:	Greg Freemyer <greg.freemyer@...il.com>
To:	"Amir G." <amir73il@...rs.sourceforge.net>
Cc:	Ext4 Developers List <linux-ext4@...r.kernel.org>,
	next3-devel@...ts.sourceforge.net
Subject: Re: [RFC] Ext4 snapshots design challenges

On Mon, Oct 25, 2010 at 12:05 PM, Amir G.
<amir73il@...rs.sourceforge.net> wrote:
> On Mon, Oct 25, 2010 at 5:24 PM, Greg Freemyer <greg.freemyer@...il.com> wrote:
>> Amir,
>>
>> I recently saw an announcement for X-Ways Forensics
>> (http://www.x-ways.net/) that they now support next3 as a filesystem
>> to analyze.  See Oct. 10 msg under topic "Announcements: X-Ways
>> Forensics 15.8" at http://www.winhex.net/  (I think that is a public
>> posting board.)
>>
>> I was surprised to see that, but assuming it was indeed your project
>> they added support for, I congratulate you on the above.
>>
>
> Thanks! I guess :-)
> I am pretty clueless with regards to the big players in the storage market.
> I do not know X-Ways, but it looks like they are a big player.


X-Ways is a computer forensic tool.  It is used to find evidence on
computers.  (You might want to check my sig below.)  X-Ways is one of
the 3 biggest forensic suite vendors and their forensic app sells for
about $1K.  (My company has 3 licenses.)

A perfect situation for analysis of a next3 based filesystem would be
if a contract had been fraudulently updated after it was signed and
X-Ways was able to pull up older versions of the contract and prove
the fraud.

The fact that they took the time to recover documents out of a next3
filesystem implies they thought next3 was deployed widely enough to be
worth the effort.

I know they also add features for specific large customers, so it
could simply be that a large client of their's asked them to add next3
support for some internal reason.

>> I'm curious what level of support they offer.  In particular, they
>> only offer limited support for NTFS shadow copies, so I'm curious if
>> the next3 support is similarly limited.
>>
>> Or since next3 is GPL they may have been able to do a more
>> comprehensive job with it than with ntfs shadow copies.
>>
>> Any info you have would be appreciated.
>> Greg
>>
>
> As you can figure out, I was not involved or notified about this move.
> Judging from their release notes, I would say that the added support is
> mostly adding some information tags and verifying the correctness of the
> exclude bitmap:
>
> * Support for the Linux file system next3. The exclude bitmap inode
> will be evaluated,
>  and snapshot files are marked with (SF) in the Attribute column.
>  Specialist license or higher required.

But the ability to pull out snapshot files in an orderly fashion is
the core functionality they could add from their perspective.  So
while you may think this is basic, it means they took the time to
decode your filesystem structure and pull out snapshot files.  Since
they don't actually use any of the GPL code (or at least I hope they
don't, that means they had to develop the fs analyser just for next3.
Not something I suspect can be done with limited effort.

They do the same for NTFS shadow volumes, but even now the
functionality is not complete enough they call it supported.

> You shouldn't be too surprised to learn that the only file system
> integrity test that
> I have added in my e2fsprogs patches is verifying the correctness of
> the exclude bitmap ;-)
>
> Thanks for the info and sorry if your post was rejected from next3-devel.
> I fixed the permissions for out of list posts.

No problem

> Amir.
>

Greg
-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ