Support for parsing an XFS file system

Nuix Workstation 100.0.0, now has the ability to ingest an XFS file system through the Add evidence > Add Files or Add Folders options.

The image shows the two most important folders in a disk image you would want to open in a forensic investigation. These are the:

etc folder which contains the System files.
home folder which contains all user account data.

MIME type

The XFS file system lists under the ‘Containers’ MIME type in the Nuix Supported File Types v100.2.0 document as follows:

Description	Query String	Extension	Support level	Data Carving
Disk Image	Containers	application/xdisk- image	Supported (XFS, snapshots unsupported)	Supported for Carving (Undocumented)

XFS format

Supported by most Linux distributions since 2014, XFS is a highly scalable, high-performance 64-bit journaling file system created by Silicon Graphics Inc (SGI). It is a file system designed to process files of an enormous size.

Over 70% of web and database servers connected to the internet run Linux - an attractive target for attackers. Thus, the XFS file system, commonly paired with RedHat Linux, Amazon Linux, and CentOS operating systems, is a prime target for cyberattacks from malware, data exfiltration, advanced persistent threats, and a whole host of other threats from bad actors.

How to locate evidence on Linux Systems

As the volume of digitized information grows, and increasingly as organizations of all sizes fall victim to cybersecurity threats, the importance of quickly locating evidence is only increasing.

The following is a curated list of targeted locations to help you find evidence on a Linux system:

Evidence type	Location
Bash History	/home/%username%/.bash_history
Recent Files	/home/%username%/.local/share/recently-used.xbel
Scheduled Tasks	/etc/cron* /var/spool/crontabs /var/spool/atjobs /etc/anacron
SSH Files	/home/%username%/.ssh/authorized_keys /home/%username%/.ssh/known_hosts /home/%username%/.ssh/config /home/%username%/.ssh/id_*
Startup Items	/etc/systemd/system /usr/lib/systemd/system /etc/init*
System Files	/etc/*-release /etc/hostname /etc/hosts /var/lib/networkmanager, dhclient, and dhcp
System & Application Logs	/var/log/*
Trash	/home/%username%/.local/share/Trash/
Web Browsing Activity	/home/%username%/.config/google-chrome/ /home/%username%/.mozilla/Firefox/ /home/%username%/.config/Opera/ /home/%username%/.cache/
User Account/Data	/home/%username%/* /etc/passwd /etc/shadow /etc/sudoers /etc/group

Find more information at: https://xfs.org/index.php/XFS_Papers_and_Documentation

Known limitation

XFS file systems do not support snapshots.