[sleuthkit-users] Inode in deleted directory entry points to wrong file
Brought to you by:
carrier
From: Walker J. <j_w...@ho...> - 2010-04-16 15:13:58
|
Hello everyone! I'm analyzing an old Linux ext3 honeypot image again with TSK 3.1.0. I've used strings and blkcat to recover the deleted directory entry for /usr/X11R6/rk/ which was used to store rootkit related files. The problem is that when I parse the recovered rk/ directory entry, the inodes turn out to be inodes for files in another of the attacker's deleted directories; /root/.linuxhelp/. For example... from the deleted rk/ directory entry: Inode: 307836 Entry Length: 16 Name Length: 5 Name: setup Part of the body file: 0|/root/.linuxhelp/webmin.pl (deleted)|307836|r/rrwxr-xr-x|0|0|0|1204263805|1204264016|1204264016|0 I have some orphans in my timeline from /usr/X11R6/rk/, and I was hoping I would be able to use the recovered rk/ directory entry to give those orphans file names, but the inodes match the wrong file. Any insight as to what is going on is appreciated. Thanks! _________________________________________________________________ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2 |