LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-21-2009, 03:56 PM   #1
maurice19
LQ Newbie
 
Registered: Dec 2009
Posts: 11

Rep: Reputation: 0
Hello i need some help


Hello am a student, i have a projet on unix forensic and anti-forensic tools. In the forensic tools i have found a method that is based on changing the inode of a file, but am not being able to change the inode, does anyone know how to change the inode or where can we find a C/C++ program to do that?

And another question plz where can we find the source code of the ext2 file system?

Thanks for ur answers.
 
Old 12-21-2009, 04:11 PM   #2
markush
Senior Member
 
Registered: Apr 2007
Location: Germany
Distribution: Slackware
Posts: 3,979

Rep: Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850
Quote:
Originally Posted by maurice19 View Post
...
And another question plz where can we find the source code of the ext2 file system?
...
Hello maurice19 and welcome to LQ,

google for "e2fsprogs".

Markus
 
Old 12-23-2009, 02:29 AM   #3
maurice19
LQ Newbie
 
Registered: Dec 2009
Posts: 11

Original Poster
Rep: Reputation: 0
markush i checked the e2fsprogs but i didn't find a special code, do u have any specific site where i can find it?

another question can we use debugfs to change the inode if yes what is the command to do that?

Thanks.
 
Old 12-23-2009, 02:30 AM   #4
Nylex
LQ Addict
 
Registered: Jul 2003
Location: London, UK
Distribution: Slackware
Posts: 7,464

Rep: Reputation: Disabled
Quote:
Originally Posted by maurice19 View Post
And another question plz where can we find the source code of the ext2 file system?
In the source for the Linux kernel? You can get it from www.kernel.org.
 
Old 12-23-2009, 02:36 AM   #5
maurice19
LQ Newbie
 
Registered: Dec 2009
Posts: 11

Original Poster
Rep: Reputation: 0
nylex can we modify the source code of the Linux kernel?
 
Old 12-23-2009, 02:39 AM   #6
Nylex
LQ Addict
 
Registered: Jul 2003
Location: London, UK
Distribution: Slackware
Posts: 7,464

Rep: Reputation: Disabled
Yes, you're allowed to do that under the terms of the GNU General Public License, which is the license that the kernel is released with.
 
Old 12-23-2009, 02:41 AM   #7
maurice19
LQ Newbie
 
Registered: Dec 2009
Posts: 11

Original Poster
Rep: Reputation: 0
you ever changed the inode of a file nylex?
 
Old 12-23-2009, 02:42 AM   #8
Nylex
LQ Addict
 
Registered: Jul 2003
Location: London, UK
Distribution: Slackware
Posts: 7,464

Rep: Reputation: Disabled
No.
 
Old 12-23-2009, 02:44 AM   #9
maurice19
LQ Newbie
 
Registered: Dec 2009
Posts: 11

Original Poster
Rep: Reputation: 0
ok thank you hope i will be able to do it using the code of the ext2
 
Old 12-23-2009, 03:04 AM   #10
maurice19
LQ Newbie
 
Registered: Dec 2009
Posts: 11

Original Poster
Rep: Reputation: 0
Is this the code of the ext2 http://www.kernel.org/diff/diffview.....1-2.bz2;z=all with the patches or it is a patch only? excuse me because i really dont know what is the code or how it is made of.

Thanks
 
Old 12-23-2009, 03:06 AM   #11
Nylex
LQ Addict
 
Registered: Jul 2003
Location: London, UK
Distribution: Slackware
Posts: 7,464

Rep: Reputation: Disabled
Get the full source. Once you extract it, you'll find the code for ext2 in fs/ext2.
 
Old 12-23-2009, 03:07 AM   #12
AwesomeMachine
Senior Member
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora
Posts: 1,846

Rep: Reputation: 260Reputation: 260Reputation: 260
Sleuthkit contains tools to change the inode of a file. But if you change the inode manually, the file is lost. The only way you can ever find it is to manually go to that inode and follow it.
 
Old 12-23-2009, 03:11 AM   #13
maurice19
LQ Newbie
 
Registered: Dec 2009
Posts: 11

Original Poster
Rep: Reputation: 0
Sleuthkit contains tools to change the inode of a file. But if you change the inode manually, the file is lost. The only way you can ever find it is to manually go to that inode and follow it.

1st Sleukhit is a forensic tool right? it is used to check if there is changes in the inode? How can we use it to change the inode what is the command if u have ever use it?

2nd where can we find the inode to go it then what u mean by follow it? thx
 
Old 12-23-2009, 01:25 PM   #14
maurice19
LQ Newbie
 
Registered: Dec 2009
Posts: 11

Original Poster
Rep: Reputation: 0
does anyone know how to use sleuthkit to change the inode? i have done many research but could not find the way
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off




All times are GMT -5. The time now is 08:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration