VNODE: TRANSFORMING A REGULAR FILE INTO A DEVICE ON FREEBSD





VNODE: TRANSFORMING A REGULAR FILE INTO A DEVICE ON FREEBSD

Just as losetup allows you to transform an evidence file created from a forensic duplication into a device for analysis, the vnode capability of FreeBSD lets you accomplish the same task. The vnode device in FreeBSD associates the regular file with an abstract device designated as /dev/vn#, where # denotes the number of the device, which is arbitrary and user defined. After you associate the evidence file with the vnode device using the vnconfig utility, you can mount or analyze the newly created special file as you can an actual hard drive.

Note 

Mounting a file system provides only a logical view of the source file system. Although every bit is available through the loopback device, no tools are available with the base installation of Unix operating systems to view the deleted files quickly from the file system.

Implementation

To compile in support for the vn, you must add a line similar to the following to your kernel configuration file:

pseudo-device vn

The kernel will then need to be recompiled and the machine rebooted. You may also wish to run ./MAKEDEV all in the /dev directory to create the device files for you.

The command-line options for vnconfig are as follows:

forensic# vnconfig
usage: vnconfig [-cdeguv] [-s option] [-r option] [-S value] special_file ¬
[regular_file] [feature]
           vnconfig -a [-cdeguv] [-s option] [-r option] [-f config_file]

The following command demonstrates associating an evidence file created from a source hard drive with a special device file, /dev/vn0, to mount it as a regular file system:

forensic# vnconfig /dev/vn0 /mnt/storage/disk.bin


forensic# fdisk /dev/vn0


******* Working on device /dev/vn0 *******
parameters extracted from in-core disklabel are:
cylinders=2495 heads=255 sectors/track=63 (16065 blks/cyl)


Figures below won't work with BIOS for partitions not in cyl 1
parameters to be used for BIOS calculations are:
cylinders=2495 heads=255 sectors/track=63 (16065 blks/cyl)


Media sector size is 512
Warning: BIOS sector numbering starts with sector 1
Information from DOS superblock is:
The data for partition 1 is:
sysid 12,(DOS or Windows 95 with 32 bit FAT, LBA)
  start 63, size 40082112 (19571 Meg), flag 0
    beg: cyl 0/ head 1/ sector 1;
    end: cyl 1023/ head 254/ sector 63
The data for partition 2 is:
<UNUSED>
The data for partition 3 is:
<UNUSED>
The data for partition 4 is:
<UNUSED>

After the evidence file has been associated with a virtual node, you can use all the commands that manipulate files on the device. Of course, you should install preventative measures to protect against modification of the evidence file. The simplest measure is to change the evidence file to read-only using the chmod 400 <filename> command before it is associated with a virtual node.

The next command demonstrates mounting the duplication of the Windows source media in FreeBSD:


forensic# mount -t msdos -o ro /dev/vn0s1 /mnt/evidence
forensic# ls /mnt/evidence
Previous Section
Next Section


 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows