by Nikhil Wagholikar, NII Consulting
Introduction
One of the recommended file-system for Linux is Ext-3. Ext-3 file-system might not be as robust and powerful as compared to the Microsoft NTFS file-system but it has some built-in features that makes Linux a power performer.
Here we will explore one such feature of Ext-3 file-system here. This feature is actually an attribute, which if set on a file/folder, will not even allow “root” user to delete, modify or rename it. This attribute is set using command “chattr”.
chattr
According to the Linux man page, “chattr” is defined as:
“chattr” changes the file attributes on a Linux second extended file-system.
Here second extended file-system is nothing but “Ext-2” file-system. Since “Ext-3” file-system is an upgraded version of “Ext-2” file-system, all discussions related to Ext-2 are easily applicable for Ext-3 file-system.
Let’s quickly go through some important switches available with “chattr” command.
-R: Recursively changes attributes of a directory and its contents. Sym-links are ignored straight-away.
-V: Output to be verbose along with program version.
-i: If this attribute is set on a file, it will not allow any user (including root) to either delete, modify, rename, link it to other file, or add any contents to this file.
s: If this attribute is set on a file, the file is deleted, and the blocks in which the file contained are shredded with series of multiple zeros on the disk.
u: With this attribute set on a file, this file is deleted however it’s contents are saved for future un-deletion and recovery options.
So while doing a forensics investigation of a Linux based machine, the forensics analyst must take care of all these files, since they might prove useful for them during forensics investigation of the disk.
lsattr
The attributes set by “chattr” command cannot be previewed with our normal “ls –l” or “dir –l” command.
“lsattr” is a command to preview the attributes set by “chattr” command.
It lists the file attributes on a Second extended and third extended file system.
Let’s quickly look at the available switches for “lsattr” command:
-R: Recursively lists attributes of a directory and its contents
-a: Lists attributes of all files within the directory including hidden ones (starting with ‘.’)
Example
Let’s create 6 files named sequentially from Test1 till Test6.
Let’s see the normal directory permission of all these files.
Now let’s set non-deletion attribute on file “Test4” file.
Now again let’s see the normal permission of all these files.
As we can see, nothing about the attribute set on file “Test4” can be seen through normal “ls –l” command.
However now let’s see the hidden attributes set on file “Test4” through “lsattr” command.
So now we can see the attribute set on this file “Test4”.
Now lets try to delete this file using command “rm –rf” command.
So as we can see, though we have root privileges it’s impossible for us to delete this file.
The only way this file could be deleted is to remove the “i” switch set on this file using command “chattr -i Test4”.
Now if we try to delete this file, it’s possible.
Conclusion
Its very important for a forensics analyst to not only look for files which have SUID or GUID set on them, but also for files which have these kind of attributes set on them.
A typical scenario may include an inclusion of a Trojan (hidden) with this attribute set on it. Hence even when anti-virus programs detect these kind of Trojan files, still they may not be able to delete them, just because “+i” attribute is set on them.
A note must be taken that, attributes on the file can only be changed who had set the attribute on it. Moreover, for security purpose, Linux doesn’t allow any non-root user to set the “i” attribute on any file or directory.
