subject:"svn commit\: r312003 \- head\/usr.sbin\/fstyp"

Re: svn commit: r312003 - head/usr.sbin/fstyp

2017-01-12 Thread Ngie Cooper (yaneurabeya)


> On Jan 12, 2017, at 19:57, Ngie Cooper (yaneurabeya)  
> wrote:
> 
> 
>> On Jan 12, 2017, at 18:14, Conrad Meyer  wrote:
>> 
>> Forgot to mention:
>> 
>> Documentation: 
>> https://www.sans.org/reading-room/whitepapers/forensics/reverse-engineering-microsoft-exfat-file-system-33274
>> 
>> Images for testing: http://www.cfreds.nist.gov/dfr-test-images.html
>> (raw disk images, include partition tables)
> 
> This commit doesn’t work as advertised:
> 
> $ fstyp dfr-01-xfat.img
> fstyp: dfr-01-xfat.img: filesystem not recognized
> $ grep exfat `which fstyp`
> Binary file /usr/sbin/fstyp matches
> 
> -Ngie

Also:

$ file dfr-01-xfat.img
dfr-01-xfat.img: DOS/MBR boot sector
$ hexdump -C dfr-01-xfat.img | head -n 2
  eb 76 90 45 58 46 41 54  20 20 20 00 00 00 00 00  |.v.EXFAT   .|
0010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r312003 - head/usr.sbin/fstyp

2017-01-12 Thread Ngie Cooper (yaneurabeya)


> On Jan 12, 2017, at 18:14, Conrad Meyer  wrote:
> 
> Forgot to mention:
> 
> Documentation: 
> https://www.sans.org/reading-room/whitepapers/forensics/reverse-engineering-microsoft-exfat-file-system-33274
> 
> Images for testing: http://www.cfreds.nist.gov/dfr-test-images.html
> (raw disk images, include partition tables)

This commit doesn’t work as advertised:

$ fstyp dfr-01-xfat.img
fstyp: dfr-01-xfat.img: filesystem not recognized
$ grep exfat `which fstyp`
Binary file /usr/sbin/fstyp matches

-Ngie


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r312003 - head/usr.sbin/fstyp

2017-01-12 Thread Conrad Meyer

Forgot to mention:

Documentation: 
https://www.sans.org/reading-room/whitepapers/forensics/reverse-engineering-microsoft-exfat-file-system-33274

Images for testing: http://www.cfreds.nist.gov/dfr-test-images.html
(raw disk images, include partition tables)


On Thu, Jan 12, 2017 at 6:12 PM, Conrad E. Meyer  wrote:
> Author: cem
> Date: Fri Jan 13 02:12:58 2017
> New Revision: 312003
> URL: https://svnweb.freebsd.org/changeset/base/312003
>
> Log:
>   fstyp(8): Detect exFAT filesystems
>
>   Simply detect the exFAT filesystem name in the Volume Boot Record
>   (superblock).
>
>   PR:   214908
>   Reported by:  
>
> Added:
>   head/usr.sbin/fstyp/exfat.c   (contents, props changed)
> Modified:
>   head/usr.sbin/fstyp/Makefile
>   head/usr.sbin/fstyp/fstyp.8
>   head/usr.sbin/fstyp/fstyp.c
>   head/usr.sbin/fstyp/fstyp.h
>
> Modified: head/usr.sbin/fstyp/Makefile
> ==
> --- head/usr.sbin/fstyp/MakefileFri Jan 13 02:11:16 2017
> (r312002)
> +++ head/usr.sbin/fstyp/MakefileFri Jan 13 02:12:58 2017
> (r312003)
> @@ -3,7 +3,7 @@
>  .include 
>
>  PROG=  fstyp
> -SRCS=  cd9660.c ext2fs.c fstyp.c geli.c msdosfs.c ntfs.c ufs.c
> +SRCS=  cd9660.c exfat.c ext2fs.c fstyp.c geli.c msdosfs.c ntfs.c ufs.c
>
>  .if ${MK_ZFS} != "no"
>  SRCS +=zfs.c
>
> Added: head/usr.sbin/fstyp/exfat.c
> ==
> --- /dev/null   00:00:00 1970   (empty, because file is newly added)
> +++ head/usr.sbin/fstyp/exfat.c Fri Jan 13 02:12:58 2017(r312003)
> @@ -0,0 +1,77 @@
> +/*
> + * Copyright (c) 2017 Conrad Meyer 
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + *notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + *notice, this list of conditions and the following disclaimer in the
> + *documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + */
> +
> +#include 
> +__FBSDID("$FreeBSD$");
> +
> +#include 
> +#include 
> +#include 
> +#include 
> +
> +#include "fstyp.h"
> +
> +struct exfat_vbr {
> +   charev_jmp[3];
> +   charev_fsname[8];
> +   charev_zeros[53];
> +   uint64_tev_part_offset;
> +   uint64_tev_vol_length;
> +   uint32_tev_fat_offset;
> +   uint32_tev_fat_length;
> +   uint32_tev_cluster_offset;
> +   uint32_tev_cluster_count;
> +   uint32_tev_rootdir_cluster;
> +   uint32_tev_vol_serial;
> +   uint16_tev_fs_revision;
> +   uint16_tev_vol_flags;
> +   uint8_t ev_log_bytes_per_sect;
> +   uint8_t ev_log_sect_per_clust;
> +   uint8_t ev_num_fats;
> +   uint8_t ev_drive_sel;
> +   uint8_t ev_percent_used;
> +} __packed;
> +
> +int
> +fstyp_exfat(FILE *fp, char *label, size_t size)
> +{
> +   struct exfat_vbr *ev;
> +
> +   ev = (struct exfat_vbr *)read_buf(fp, 0, 512);
> +   if (ev == NULL || strncmp(ev->ev_fsname, "EXFAT   ", 8) != 0)
> +   goto fail;
> +
> +   /*
> +* Reading the volume label requires walking the root directory to 
> look
> +* for a special label file.  Left as an exercise for the reader.
> +*/
> +   free(ev);
> +   return (0);
> +
> +fail:
> +   free(ev);
> +   return (1);
> +}
>
> Modified: head/usr.sbin/fstyp/fstyp.8
> ==
> --- head/usr.sbin/fstyp/fstyp.8 Fri Jan 13 02:11:16 2017(r312002)
> +++ head/usr.sbin/fstyp/fstyp.8 Fri Jan 13 02:12:58 2017(r312003)
> @@ -27,7 +27,7 @@
>  .\"
>  .\" $FreeBSD$
>  .\"
> -.Dd February 28, 2016
> +.Dd January 12, 2017
>  .Dt FSTYP

svn commit: r312003 - head/usr.sbin/fstyp

2017-01-12 Thread Conrad E. Meyer

Author: cem
Date: Fri Jan 13 02:12:58 2017
New Revision: 312003
URL: https://svnweb.freebsd.org/changeset/base/312003

Log:
  fstyp(8): Detect exFAT filesystems
  
  Simply detect the exFAT filesystem name in the Volume Boot Record
  (superblock).
  
  PR:   214908
  Reported by:  

Added:
  head/usr.sbin/fstyp/exfat.c   (contents, props changed)
Modified:
  head/usr.sbin/fstyp/Makefile
  head/usr.sbin/fstyp/fstyp.8
  head/usr.sbin/fstyp/fstyp.c
  head/usr.sbin/fstyp/fstyp.h

Modified: head/usr.sbin/fstyp/Makefile
==
--- head/usr.sbin/fstyp/MakefileFri Jan 13 02:11:16 2017
(r312002)
+++ head/usr.sbin/fstyp/MakefileFri Jan 13 02:12:58 2017
(r312003)
@@ -3,7 +3,7 @@
 .include 
 
 PROG=  fstyp
-SRCS=  cd9660.c ext2fs.c fstyp.c geli.c msdosfs.c ntfs.c ufs.c
+SRCS=  cd9660.c exfat.c ext2fs.c fstyp.c geli.c msdosfs.c ntfs.c ufs.c
 
 .if ${MK_ZFS} != "no"
 SRCS +=zfs.c

Added: head/usr.sbin/fstyp/exfat.c
==
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/usr.sbin/fstyp/exfat.c Fri Jan 13 02:12:58 2017(r312003)
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2017 Conrad Meyer 
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include 
+__FBSDID("$FreeBSD$");
+
+#include 
+#include 
+#include 
+#include 
+
+#include "fstyp.h"
+
+struct exfat_vbr {
+   charev_jmp[3];
+   charev_fsname[8];
+   charev_zeros[53];
+   uint64_tev_part_offset;
+   uint64_tev_vol_length;
+   uint32_tev_fat_offset;
+   uint32_tev_fat_length;
+   uint32_tev_cluster_offset;
+   uint32_tev_cluster_count;
+   uint32_tev_rootdir_cluster;
+   uint32_tev_vol_serial;
+   uint16_tev_fs_revision;
+   uint16_tev_vol_flags;
+   uint8_t ev_log_bytes_per_sect;
+   uint8_t ev_log_sect_per_clust;
+   uint8_t ev_num_fats;
+   uint8_t ev_drive_sel;
+   uint8_t ev_percent_used;
+} __packed;
+
+int
+fstyp_exfat(FILE *fp, char *label, size_t size)
+{
+   struct exfat_vbr *ev;
+
+   ev = (struct exfat_vbr *)read_buf(fp, 0, 512);
+   if (ev == NULL || strncmp(ev->ev_fsname, "EXFAT   ", 8) != 0)
+   goto fail;
+
+   /*
+* Reading the volume label requires walking the root directory to look
+* for a special label file.  Left as an exercise for the reader.
+*/
+   free(ev);
+   return (0);
+
+fail:
+   free(ev);
+   return (1);
+}

Modified: head/usr.sbin/fstyp/fstyp.8
==
--- head/usr.sbin/fstyp/fstyp.8 Fri Jan 13 02:11:16 2017(r312002)
+++ head/usr.sbin/fstyp/fstyp.8 Fri Jan 13 02:12:58 2017(r312003)
@@ -27,7 +27,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 28, 2016
+.Dd January 12, 2017
 .Dt FSTYP 8
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@
 The
 .Nm
 utility is used to determine the filesystem type on a given device.
-It can recognize ISO-9660, Ext2, FAT, NTFS, and UFS filesystems.
+It can recognize ISO-9660, exFAT, Ext2, FAT, NTFS, and UFS filesystems.
 When the
 .Fl u
 flag is specified,
@@ -61,6 +61,8 @@ as, respectively:
 .It
 cd9660
 .It
+exfat
+.It
 ext2fs
 .It
 geli

Modified: head/usr.sbin/fstyp/fstyp.c
==
--- head/usr.sbin/fstyp/fstyp.c Fri Jan 13 02:11:16 2017(r312002)
+++

Re: svn commit: r312003 - head/usr.sbin/fstyp

Re: svn commit: r312003 - head/usr.sbin/fstyp

Re: svn commit: r312003 - head/usr.sbin/fstyp

svn commit: r312003 - head/usr.sbin/fstyp

4 matches

Site Navigation

Mail list logo

Footer information