btrForensics

Forensic Analysis Tool for Btrfs File System.

Btrfs is a modern copy on write (CoW) filesystem for Linux aimed at implementing advanced features while also focusing on fault tolerance, repair, and easy administration.

Features

• Extent based file storage
• 2^64 byte == 16 EiB maximum file size (practical limit is 8 EiB due to Linux VFS)
• Space-efficient packing of small files
• Space-efficient indexed directories
• Dynamic inode allocation
• Writable snapshots, read-only snapshots
• Subvolumes (separate internal filesystem roots)
• Checksums on data and metadata (crc32c)
• Compression (zlib, LZO, ZSTD), heuristics
• Integrated multiple device support
  • File Striping
  • File Mirroring
  • File Striping+Mirroring
  • Single and Dual Parity implementations (experimental, not production-ready)
• SSD (flash storage) awareness (TRIM/Discard for reporting free blocks for reuse) and optimizations (e.g. avoiding unnecessary seek optimizations, sending writes in clusters, even if they are from unrelated files. This results in larger write operations and faster write throughput)
• Efficient incremental backup
• Background scrub process for finding and repairing errors of files with redundant copies
• Online filesystem defragmentation
• Offline filesystem check
• In-place conversion of existing ext2/3/4 and reiserfs file systems
• Seed devices. Create a (read-only) filesystem that acts as a template to seed other Btrfs filesystems. The original filesystem and devices are included as a read-only starting point for the new filesystem. Using copy on write, all modifications are stored on different devices; the original is unchanged.
• Subvolume-aware quota support
• Send/receive of subvolume changes
  • Efficient incremental filesystem mirroring
• Batch, or out-of-band deduplication (happens after writes, not during)

Current Capabilities:

1. Browse nodes derived from root tree and print information.
2. Browse nodes in filesystem tree and print information.
3. List all files in default filesystem tree.
4. Explore files and subdirectories in default root directory.
5. Switch to a subvolume or snapshot and explore files within.
6. Read a file from the image and save to current directory.

Tools

There will be some stand-alone programs built in Tools/ folder.

Most of them simulate functions of tools in The Sleuth’s Kit.

Current list:

Tools/fsstat: Print information about the file system.
Tools/fls: List files and/or directories in a Btrfs partition image.
Tools/istat: Print information about an inode.
Tools/icat: Output the contents of the file with the provided inode number in Btrfs.
Tools/subls: List subvolumes and snapshots in a Btrfs image.

Download

Requirement:

• Sleuth Kit

git clone https://github.com/shujianyang/btrForensics.git
cd btrForensics
mkdir build
cd build
cmake ..
make

Use

btrfrsc [-o offset1,offset2,offset3…] image

-o offset: Offset to the beginning of the partition (in sectors). May have multiple values if the pool is made up by multiple partitions(devices).

Tutorial

Copyright (c) 2016 Shujian Yang

Source: https://github.com/shujianyang/