Lect14 / 15 / 17 - The Sleuth Kit

Question 1

Explain the layer approach and name tools for each layer?

Answer 1

1. Physical Media
   
   • lshw, lsscsi, hdparm
2. Media Management
   
   • fdisk, lsblk, mmls, mmcat
3. File System
   
   • FS: file, fsstat, fls
   • File: find, file, ls
4. Application
   
   • less, cat, xv, display, regfmount

Question 2

What is TSK?

Answer 2

The Sleuth Kit (TSK) - for our purposes, is a collection of command line tools that allow you to forensically analyze disks, disk images, file systems and other volume information. There are also libraries and bindings to allow for additional development:

• Autopsy (GUI based on TSK)
• Python/Java bindings

Can be used on live file systems. Can be used in Windows. Linux leverages bash and associated tools to augment the power of TSK.

To install TSK: # sboinstall sleuthkit

Question 3

We also have tools that address physical disks and tools that address the “journals” of some file systems. Name some examples?

Answer 3

• Journal tools: jcat, jls
• File content tools: hfind, fcat

Question 4

TSK command:

Show partitions of a image

Answer 4

mmls <image_file></image_file>

Question 5

TSK command:

Show file system metadata?

Answer 5

fsstat -o 10260 <image_file> | less</image_file>

Question 6

TSK command:
List files and directories of a specific partition?

Answer 6

# fls -o 10260 [2]

Other parameters:

• -r : Recursive
• -d : Only deleted files
• -u : Only undeleted files
• -F : Display file entries only
• -D : Display directory entries only
• -p : Display full path for each entry

Output:

• r/r : Regular file in file’s directory and inode entry. (or one is for the directory tree and one is for the MFT entry)
• d/d : Directory
• V/V : Virtual folder
• $OrphanFiles : virtual file entries that represent unallocated metadata entries where there are no corresponding file names.
• realloc : the inode from the deleted file may have been reallocated to a new file.

Question 7

TSK command:
Show command to export file based on inode/mft?

Answer 7

# icat -o 10260 <image_file> 2139 &gt; lrkn.tgz.2139</image_file>

Determine file type without exporting file:

# icat -o 10260 <image_file> 2139 | file -</image_file>

Display file directly:

# icat -o 10260 <image_file> 2139 | display</image_file>

Question 8

TSK command:

finds an “inode” given a file name or block?

Answer 8

# ifind

ifind -f fat -d 456 fat-img.dd

ifind -f linux-ext2 -n “/etc/” linux-img.dd

Question 9

TSK command:
“File find”: finds a file name given an “inode”

Answer 9

# ffind -o 10260 -a <image_file> 2139</image_file>

-a : ensures that we get all the inode associations.​

Question 10

TSK command:
Displays a file’s meta data

Answer 10

# istat -o 10260 <image_file> 2139 | less</image_file>

Question 11

TSK command:
Export unallocated blocks from file system

Answer 11

# blkls -o 63 image.raw > image.blkls

Question 12

TSK command:
Calculates the association between an unallocated block and original file system block.

Answer 12

# blkcalc -u $((422543/4096)) -o 63 image.raw

Question 13

TSK command:
Export data from a particular block

Answer 13

# blkcat -o 571392 able_3.000 327206 > blk.327206

Question 14

TSK command:
Check if block is allocated or not

Answer 14

# blkstat -o 10260 able2.dd 5184

Question 15

TSK command:
recovers unallocated (or all) files from a file system.

Answer 15

# tsk_recover ./image.dd ./recovered

Question 16

TSK command:
creates a body file for timelines (file activity only)

Answer 16

tsk_gettimes

Question 17

TSK command:
Categorizes allocated and unallocated files based on type (images, executables, etc). Extremely flexible and configurable.

Answer 17

sorter

Question 18

TSK command:

Allows for the separation of meta-data and original data from image files (media duplication, not pictures)

Answer 18

img_cat

Question 19

TSK command:

Provides information about a forensic image. The information it provides is dependent on the image format (aff, ewf, etc.).

Answer 19

img_stat <firstpart_image_file></firstpart_image_file>

Question 20

TSK command:

Hash lookup tool. Creates and searches an indexed database.

Answer 20

hfind

Question 21

TSK command:
Searches a given file (forensic image, disk, etc.) for a hex signature at any specified offset (sector boundary). Used for finding data structures.

Answer 21

sigfind

Question 22

TSK command:
Creates a timeline of file activity. Useful for intrusion investigations where temporal relationships are critical.

Answer 22

mactime

Question 23

TSK command:

Like standard BSD strings command, but with the ability to parse different encodings.

Answer 23

srch_strings

Question 24

Where are all TSK tools installed?

Answer 24

/usr/bin

Question 25

Explain the steps for physical string search & file recovery (ext2)?

Answer 25

1. Look for search hit
   
   • grep -abio <searchterm> <imagefile></imagefile></searchterm>
2. Look at the match with the hex viewer
   
   • xxd -s <bytes> image.dd | head -n 5</bytes>
3. Figure out which partition the match is in
   
   • echo “<bytes> / 512" | bc</bytes>
4. Check partition table
   
   • mmls image.dd
5. Calculate offset to the file
   
   • [fileoffset] - [partitionstart*512]
6. Check block size of partition
   
   • fsstat -o <offset> image.dd</offset>
7. Check allocation status of resulting block
   
   • echo “([fileoffset]-[partitionstart*512])/1024” | bc
   • blkstat -o <offset> image.dd <block></block></offset>
8. Tell us which inode points to data block
   
   • ifind -o <offset> -d <block> image.dd</block></offset>
9. Check stats of that inode
   
   • istat -o <offset> image.dd <inode></inode></offset>
10. Export inode
    
    • icat -o <offset> image.dd <inode></inode></offset>

Question 26

Explain the steps for physical string search & file recovery (ext4)?

Answer 26

1. Look for search hit
2. Figure out which partition the match is in
3. Check partition table
4. Find out cluster size of file system
5. Calculate the block number of the search hit (<bitoffset_of_searchhit> - (partition_start * Disk_Blocksize))/FS_Blocksize
   </bitoffset_of_searchhit><ul>
   <li><em>echo "(1632788547-(571392*512))/4096" | bc</em></li>
   </ul></bitoffset_of_searchhit>
6. Check block statuswith blkstat
7. Check inode with ifind => not found
8. Directly export block
   
   • # blkcat -o 571392 able_3.000 327206 > blk.327206

The inode cannot be found. Again this is because the inodes in ext4 that are unallocated have the direct block pointers deleted.

Question 27

Explain the steps for physical string search & file recovery (NTFS)

Answer 27

1. Look for search hit
2. (opt) using the tr command to translate control characters to newlines:
   
   • tr ’[:cntrl:]’ ’\n’ < ewfmnt/ewf1 | grep -abi cyberbullying
3. Calculating what sector the keyword is in.
4. Check offset within the volume:
   
   • echo “(426596865-(2048*512))/4096” | bc
5. Check status of data block with: blkstat
6. Check mft of associated file:
   
   • ifind -o 2048 -d 103893 image.E01
7. Export content:
   
   • # icat -o 2048 image.E01 248 > ntfs.248

Question 28

Name to ways to physically search an entire image?

Answer 28

# grep -abio <searchterm> image.raw</searchterm>

OR

# cat image.00* | grep -abi <searchterm></searchterm>

Question 29

What are drawbacks of searches with grep?

Answer 29

• Won’t look in compound documents
• Special encodings
• Archives, etc.

=> a solution for this is the use of: bulk_extractor

Question 30

What is unallocated data?

Answer 30

Can be data that resides on a disk but might not be allocated to a specific meta-data entry (no MFT/FAT entry) or no directory entry (deleted name?). Unallocated blocks can be file system clusters or blocks that have not been assigned (or have been ’unassigned’ or deleted) from meta-data entry. In (overly) simple terms, unallocated data is data that belongs to deleted files. In general, when we talk about recovering unallocated data, we are talking about recovering deleted files that have not yet been overwritten (or partially overwritten) by the file system’s allocation algorithm.

Question 31

Explain how to separate unallocated block from file system?

Answer 31

# blkls -o 63 image.raw[E01] > image.blkls

Question 32

How can you calculate the cluster of a search hit from unallocated space in the original image?

Answer 32

blkcalc -u $((422543/4096)) -o 63 image.raw

422543 = Byte offset of search hit

Question 33

How can you associate the unallocated block with a meta-data entry?

Answer 33

# ifind -o 63 -d 2441 image.raw