Tuesday, May 18, 2010

Quick Hands on with TSK (The Sleuth Kit)

The Sleuth Kit can be characterized as a suite of command line tools that aid in disk image analysis and recovery. It is a free unix package and can be obtained from www.sleuthkit.org. This tool is more in the category of forensics and can aid in uncovering many files and clues etc. Remember, Like any tool, to get the most out of it is dependent on the knowledge and experience of the user to the tool itself.

I wont speak anymore onthe sleuthkit, but rather dive into some of its tools and commands. You can read up more on the suite at www.sleuthkit.org. There is also a nice Web front end to this suite called Autopsy that i may blog about later.

The following examples presumes you already have a disk image, in my case, ill beusing "disk.img". For more options for each program you can type "man program_name" for its man page or "program_name -h" for a brief help page on the program's options

# fsstat disk.img //Displays details of the filesystem contained in the disk image 'disk.img'

fsstat can give you info such as :
  • the filesytem type (fat16/32, ntfs etc.)
  • Number of reserverd sectors
  • Sectors contained withing each fat table and their offset (in sectors)
  • Root directory offset (in sectors)
  • Sector and cluster sizes
# fls disk.img // Lists the files and directory names in disk.img. By default, it will display the file names of recently deleted files as well.

# fls -d disk.img //lists ONLY the recently deleted file entries

The fls program will give you the repective inode numbers for each directory/file entry.

# ils -e disk.img // will list the inode information for every inode. If you remove the '-e' option, by default the program will list inode information for only removed/deleted files. The output information is not human friendly but it can be piped to the mactime program for better analysis

# icat disk.img 5 // copies the data occupied by inode 5 in disk.img. You can use the output of the fls program to obtain these inode number to choose from.

# icat -r disk.img 5 // the '-r' option allows for file recovery techniques to recover the file pointed to by inode 5. This option is only useful with deleted inode entries.

# istat disk.img 5 // Displays the details of the meta-data for inode 5. Details include file size, name, Written, accessed and created time, starting sector and sectors that the inode entry (5) occupies

# ifind -n "test.jpg" disk.img // searches for test.jpg then if found, returns the respective inode number

# ifind -d 536 disk.img // finds the relative inode number given the respective sector num (536 in this case)

# dls disk.img // By default dls copies the data from unallocated blocks only. Add the '-e' option and dls would copy every block, with the output being similar to the dd program

# dcat disk.img 12 //will display the contenst of sector #12

# sigfind 424d disk.img //searches for the magic bytes '424d'(typical for BMP files) throughout the disk image disk.img and return the sector offsets of the hits.

# sigfind -l 4d42 disk.img
// This command will parse throught the entire disk image looking for the magic bytes of "424d" and return the sector offset of the result. The '-l' options means takes the magic bytes to search for in little indian format and must therefore be reversed, hence in our example, -l 4d42.

One common task of a forensic examiner is to perform keyword searches throughout a disk image. You can use the strings command to create an index of all the string characters found withing the image.

# strings -t d disk.img > index.lst // The '-t d' option displays the offset in decimal in which strings can be located or referenced to. You can then use the grep program to parse the strings.lst file for text.

# grep -f kewords.txt index.lst //keywords.txt can be a simple file with keywords like "pass", "password", "confidential", "Credit card", "username", "login", etc. with each word being on a line by itself.

To get information regarding file activity you can issue the following command

# fls -m "/" disk.img | mactime -b // The output of this command will create an ASCII time line of file activity

The above can also be accomplished with:
# ils -m -e disk.img | mactime -b

Resources/Good Reading:

No comments:

Post a Comment