Todays schedule
● Asynchronous processing & tool-chain approach● Integrity, privilege separation and capabilities.● CarvFS & MinorFS● MattockFS core design● MattockFS as distributed-framework building block● Installation (hands on)● File-system as API (hands on)● Python API (hands on)
MattockFS
Computer-Forensics File-System
CarvFS & MinorFS
A family tree
2002: OCFA Anycast 2006: CarvFS
2006: Sealed Digital Evidence Bag 2008: MinorFS
A family tree
2002: OCFA Anycast 2006: CarvFS
2006: Sealed Digital Evidence Bag 2008: MinorFS
FUSE
Forensic File-System Architecture
ModuleInstance
User-SpaceFile-System
KernelFUSE EXT*
Disks file
CarvFS
Storage requirements traditional file carving CarvFS allows for zero-storage carving Carved files not copied our but designated CarvPath designations
/mnt/carvfs/mp3/18400+4096_S4096_47912+975.crv
Carvpath designations
Examples
● 0+500.crv● 4096+4096_40960+4096.crv● 4096+4096_S8192_40960+4096.crv● 0+40960/1024+512.crv● DBF49D26….B441C18894793.crv● DBF49D26….B441C18894793/1024+512.crv
Issues with CarvFS
Read-only access to forensic disk image In large cases hundreds of mounted image files OCFA hacks
Bypass CarvFS to write to underlying growing archive
Inefficient hybrid CarvFS/CAS storage
MinorFS
● Least Authority set of user-space file-systems– CapFS : Sparse-capability based tree layer
– ViewFS● Provides pseudo-persistent-processes with a private
$HOME● Provides all processes with a private $TMP
CapFS: '..' considered evil
● Special '..' directory normally designates parent● Capabilities: designation implies authorization● The '..' brakes delegation of sub-trees.
MinorFS, the PPP stack.
● AppArmor: – Take away ambient authority to $HOME , $TMP
– Allow processes to keep secrets by limiting access to /proc/${SOMEPID}/
● MinorFS:– Provide secure private storage for VATs to E.
● The E language:– Provide a fine grained distributed object capability
platform.
MinorFS and CarvFS
● MinorFS– Shows us the value of sparse capabilities and
FUSE for high-integrity system design.
● CarvFS– Shows us the strength of carvpath annotations as
file names.