Upload
chris-harrington
View
145
Download
1
Embed Size (px)
DESCRIPTION
Guide on using various Open Source tools for disk and data analysis. The SleuthKit is used in this guide.
Citation preview
Examining forensics image
Open Source for forensics investigationUsage guide
By Chris Harrington
Windows, Linux OS or Mac The SleuthKit (TSK) Forensic capture from suspects hard drive
or portable media (from dd, FTK, encase, etc…)
Extra◦ Perl
For running mactimes.pl script
Requirements
Add a system PATH variable to use the tools freely in dos
Example: c:\sleuthkit\bin; Don’t forget to add the ‘;’ at the end of the path
Note for Windows version
In this example, the image was taken from a SD Card.◦ mmls command will read the layout of the disk◦ Command: mmls d:\suspectX.001
mmls <path/image>
Examining forensics image
The Description Win95 FAT32 (0x0b)◦ 0x0b is the partition identifier
The start sector where the partition starts◦ Start: 8192
Key information
fsstat will provide more detailed information size, layout, label etc…
Command: fstat –o <start sector> <image>
Partition in detail
List all files including hidden and deleted◦ Check other interesting parameters to filter
results Command:
fls –r –o <start sector> <image>Note: -r : Recurse on all directories
Listing files
r/r – Regular file d/d – Directory #’s – inode (where the file is located) * - Deleted file/folder
Understanding the listing
Simple output of fls
Understanding the listing
Regular file
Directory
Deleted file/folder
Inode where file is located
icat will be used to extract a file from the image
Example: extracting screenshot.png◦ Document the inode
Extracting data
Command: icat –o <start sector> <image> <inode> > <filename to save
as>
screenshot.png is extracted to C:\ in this example
Extracting a file – icat
Files marked with ‘*’
Command:icat -r –o <start sector> <image> <inode> > <filename to save as>◦ -r : Recover deleted file
Recovering deleted file
ils is used to retrieve metadata associated to a particular file
Output is in a delimited format and can be further processed (i.e. creating timelines)
Command: ils –a –o <start sector> <image> <inode>
Note: -a is for allocated inodes -A is for deleted files inodes
Metadata retrieval
st_ino | st_alloc | st_uid | st_gid | st_mtime | st_atime | st_ctime | st_crtime | st_mode | st_nlink | st_ size
1996807 | a | 0 | 0 | 1407338044 | 1408658400 | 0 | 1408731725 | 777 | 1 | 19658
Reading metadata
Allocation status – “a” for allocated inode and “f” for free inode
Owner user ID
Owner group ID
UNIX time (seconds) of last file modification
UNIX time (seconds) of last file access
UNIX time (seconds) of last inode status change
inode number
UNIX Creation time
File type and permission in octal
Size
Number of hard links
Fls output header
Using fls to create mactimes file of deleted files found on image
Command:Fls –m –d –o <start sector> <image> > output.fls
-m: output to mactimes format
-d: show deleted files only
Parsing metadata
In sleuthkit application directory (/bin) is where mactimes.pl script is
Command:perl mactimes.pl –b <location of
mactimes.fls>
Parsing using mactimes.pl
The SleuthKit contains more tools Check each tools parameters for more
functionality Scripting possibilities Remember hashing Timelines Saving costs
Notes