Skip to content

shujianyang/btrForensics

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

btrForensics

Forensic Analysis Tool for Btrfs File System.

Platform:

Linux

Prerequisite:

Install the Sleuth Kit library --> Link

Build:

mkdir build

cd build

cmake ..

make

Input File:

Raw image which contains a btrfs partition, or a partition device file with btrfs.

Usage:

btrfrsc [-o offset1,offset2,offset3...] image 

-o offset: Offset to the beginning of the partition (in sectors). May have multiple values if the pool is made up by multiple partitions(devices).

Current Capabilities:

  1. Browse nodes derived from root tree and print information.
  2. Browse nodes in filesystem tree and print information.
  3. List all files in default filesystem tree.
  4. Explor files and subdirectories in default root directory.
  5. Switch to a subvolume or snapshot and exploere files within.
  6. Read a file from image and save to current directory.

Tools

There will be some stand alone programs built in Tools/ folder.

Most of them simulates functions of tools in The Sleuth's Kit.

Current list:

Tools/fsstat: Print information about the file system.
Tools/fls: List files and/or directories in a Btrfs partition image.
Tools/istat: Print information about an inode.
Tools/icat: Output the contents of file with provided inode number in Btrfs.
Tools/subls: List subvolumes and snapshots in a Btrfs image.

Note:

Reference of Btrfs structure can be found in btrfs Wiki.

Btrfs on-disk format: Link

License:

This software uses MIT License.

The Sleuth Kit library is employed.

You can find the Sleuth Kit from sleuthkit/sleuthkit

About

Forensic Analysis Tool for Btrfs File System.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published