Lect14 / 15 / 17 - The Sleuth Kit Flashcards
Explain the layer approach and name tools for each layer?
-
Physical Media
- lshw, lsscsi, hdparm
-
Media Management
- fdisk, lsblk, mmls, mmcat
-
File System
- FS: file, fsstat, fls
- File: find, file, ls
-
Application
- less, cat, xv, display, regfmount
What is TSK?
The Sleuth Kit (TSK) - for our purposes, is a collection of command line tools that allow you to forensically analyze disks, disk images, file systems and other volume information. There are also libraries and bindings to allow for additional development:
- Autopsy (GUI based on TSK)
- Python/Java bindings
Can be used on live file systems. Can be used in Windows. Linux leverages bash and associated tools to augment the power of TSK.
To install TSK: # sboinstall sleuthkit
We also have tools that address physical disks and tools that address the “journals” of some file systems. Name some examples?
- Journal tools: jcat, jls
- File content tools: hfind, fcat
TSK command:
Show partitions of a image
mmls <image_file></image_file>
TSK command:
Show file system metadata?
fsstat -o 10260 <image_file> | less</image_file>
TSK command:
List files and directories of a specific partition?
# fls -o 10260 [2]
Other parameters:
- -r : Recursive
- -d : Only deleted files
- -u : Only undeleted files
- -F : Display file entries only
- -D : Display directory entries only
- -p : Display full path for each entry
Output:
- r/r : Regular file in file’s directory and inode entry. (or one is for the directory tree and one is for the MFT entry)
- d/d : Directory
- V/V : Virtual folder
- $OrphanFiles : virtual file entries that represent unallocated metadata entries where there are no corresponding file names.
- realloc : the inode from the deleted file may have been reallocated to a new file.
TSK command:
Show command to export file based on inode/mft?
# icat -o 10260 <image_file> 2139 > lrkn.tgz.2139</image_file>
Determine file type without exporting file:
# icat -o 10260 <image_file> 2139 | file -</image_file>
Display file directly:
# icat -o 10260 <image_file> 2139 | display</image_file>
TSK command:
finds an “inode” given a file name or block?
# ifind
ifind -f fat -d 456 fat-img.dd
ifind -f linux-ext2 -n “/etc/” linux-img.dd
TSK command:
“File find”: finds a file name given an “inode”
# ffind -o 10260 -a <image_file> 2139</image_file>
-a : ensures that we get all the inode associations.
TSK command:
Displays a file’s meta data
# istat -o 10260 <image_file> 2139 | less</image_file>
TSK command:
Export unallocated blocks from file system
# blkls -o 63 image.raw > image.blkls
TSK command:
Calculates the association between an unallocated block and original file system block.
# blkcalc -u $((422543/4096)) -o 63 image.raw
TSK command:
Export data from a particular block
# blkcat -o 571392 able_3.000 327206 > blk.327206
TSK command:
Check if block is allocated or not
# blkstat -o 10260 able2.dd 5184
TSK command: recovers unallocated (or all) files from a file system.
# tsk_recover ./image.dd ./recovered
TSK command:
creates a body file for timelines (file activity only)
tsk_gettimes
TSK command:
Categorizes allocated and unallocated files based on type (images, executables, etc). Extremely flexible and configurable.
sorter
TSK command:
Allows for the separation of meta-data and original data from image files (media duplication, not pictures)
img_cat
TSK command:
Provides information about a forensic image. The information it provides is dependent on the image format (aff, ewf, etc.).
img_stat <firstpart_image_file></firstpart_image_file>
TSK command:
Hash lookup tool. Creates and searches an indexed database.
hfind
TSK command:
Searches a given file (forensic image, disk, etc.) for a hex signature at any specified offset (sector boundary). Used for finding data structures.
sigfind
TSK command:
Creates a timeline of file activity. Useful for intrusion investigations where temporal relationships are critical.
mactime
TSK command:
Like standard BSD strings command, but with the ability to parse different encodings.
srch_strings
Where are all TSK tools installed?
/usr/bin
Explain the steps for physical string search & file recovery (ext2)?
- Look for search hit
- grep -abio <searchterm> <imagefile></imagefile></searchterm>
- Look at the match with the hex viewer
- xxd -s <bytes> image.dd | head -n 5</bytes>
- Figure out which partition the match is in
- echo “<bytes> / 512" | bc</bytes>
- Check partition table
- mmls image.dd
- Calculate offset to the file
- [fileoffset] - [partitionstart*512]
- Check block size of partition
- fsstat -o <offset> image.dd</offset>
- Check allocation status of resulting block
- echo “([fileoffset]-[partitionstart*512])/1024” | bc
- blkstat -o <offset> image.dd <block></block></offset>
- Tell us which inode points to data block
- ifind -o <offset> -d <block> image.dd</block></offset>
- Check stats of that inode
- istat -o <offset> image.dd <inode></inode></offset>
- Export inode
- icat -o <offset> image.dd <inode></inode></offset>
Explain the steps for physical string search & file recovery (ext4)?
- Look for search hit
- Figure out which partition the match is in
- Check partition table
- Find out cluster size of file system
- Calculate the block number of the search hit (<bitoffset_of_searchhit> - (partition_start * Disk_Blocksize))/FS_Blocksize
</bitoffset_of_searchhit><ul>
<li><em>echo "(1632788547-(571392*512))/4096" | bc</em></li>
</ul></bitoffset_of_searchhit> - Check block statuswith blkstat
- Check inode with ifind => not found
- Directly export block
- # blkcat -o 571392 able_3.000 327206 > blk.327206
The inode cannot be found. Again this is because the inodes in ext4 that are unallocated have the direct block pointers deleted.
Explain the steps for physical string search & file recovery (NTFS)
- Look for search hit
- (opt) using the tr command to translate control characters to newlines:
- tr ’[:cntrl:]’ ’\n’ < ewfmnt/ewf1 | grep -abi cyberbullying
- Calculating what sector the keyword is in.
- Check offset within the volume:
- echo “(426596865-(2048*512))/4096” | bc
- Check status of data block with: blkstat
- Check mft of associated file:
- ifind -o 2048 -d 103893 image.E01
- Export content:
- # icat -o 2048 image.E01 248 > ntfs.248
Name to ways to physically search an entire image?
# grep -abio <searchterm> image.raw</searchterm>
OR
# cat image.00* | grep -abi <searchterm></searchterm>
What are drawbacks of searches with grep?
- Won’t look in compound documents
- Special encodings
- Archives, etc.
=> a solution for this is the use of: bulk_extractor
What is unallocated data?
Can be data that resides on a disk but might not be allocated to a specific meta-data entry (no MFT/FAT entry) or no directory entry (deleted name?). Unallocated blocks can be file system clusters or blocks that have not been assigned (or have been ’unassigned’ or deleted) from meta-data entry. In (overly) simple terms, unallocated data is data that belongs to deleted files. In general, when we talk about recovering unallocated data, we are talking about recovering deleted files that have not yet been overwritten (or partially overwritten) by the file system’s allocation algorithm.
Explain how to separate unallocated block from file system?
# blkls -o 63 image.raw[E01] > image.blkls
How can you calculate the cluster of a search hit from unallocated space in the original image?
blkcalc -u $((422543/4096)) -o 63 image.raw
422543 = Byte offset of search hit
How can you associate the unallocated block with a meta-data entry?
# ifind -o 63 -d 2441 image.raw
