I wont speak anymore onthe sleuthkit, but rather dive into some of its tools and commands. You can read up more on the suite at www.sleuthkit.org. There is also a nice Web front end to this suite called Autopsy that i may blog about later.
The following examples presumes you already have a disk image, in my case, ill beusing "disk.img". For more options for each program you can type "man program_name" for its man page or "program_name -h" for a brief help page on the program's options
# fsstat disk.img //Displays details of the filesystem contained in the disk image 'disk.img'
fsstat can give you info such as :
- the filesytem type (fat16/32, ntfs etc.)
- Number of reserverd sectors
- Sectors contained withing each fat table and their offset (in sectors)
- Root directory offset (in sectors)
- Sector and cluster sizes
# fls -d disk.img //lists ONLY the recently deleted file entries
The fls program will give you the repective inode numbers for each directory/file entry.
# ils -e disk.img // will list the inode information for every inode. If you remove the '-e' option, by default the program will list inode information for only removed/deleted files. The output information is not human friendly but it can be piped to the mactime program for better analysis
# icat disk.img 5 // copies the data occupied by inode 5 in disk.img. You can use the output of the fls program to obtain these inode number to choose from.
# icat -r disk.img 5 // the '-r' option allows for file recovery techniques to recover the file pointed to by inode 5. This option is only useful with deleted inode entries.
# istat disk.img 5 // Displays the details of the meta-data for inode 5. Details include file size, name, Written, accessed and created time, starting sector and sectors that the inode entry (5) occupies
# ifind -n "test.jpg" disk.img // searches for test.jpg then if found, returns the respective inode number
# ifind -d 536 disk.img // finds the relative inode number given the respective sector num (536 in this case)
# dls disk.img // By default dls copies the data from unallocated blocks only. Add the '-e' option and dls would copy every block, with the output being similar to the dd program
# dcat disk.img 12 //will display the contenst of sector #12
# sigfind 424d disk.img //searches for the magic bytes '424d'(typical for BMP files) throughout the disk image disk.img and return the sector offsets of the hits.
# sigfind -l 4d42 disk.img // This command will parse throught the entire disk image looking for the magic bytes of "424d" and return the sector offset of the result. The '-l' options means takes the magic bytes to search for in little indian format and must therefore be reversed, hence in our example, -l 4d42.
One common task of a forensic examiner is to perform keyword searches throughout a disk image. You can use the strings command to create an index of all the string characters found withing the image.
# strings -t d disk.img > index.lst // The '-t d' option displays the offset in decimal in which strings can be located or referenced to. You can then use the grep program to parse the strings.lst file for text.
# grep -f kewords.txt index.lst //keywords.txt can be a simple file with keywords like "pass", "password", "confidential", "Credit card", "username", "login", etc. with each word being on a line by itself.
To get information regarding file activity you can issue the following command
# fls -m "/" disk.img | mactime -b // The output of this command will create an ASCII time line of file activity
The above can also be accomplished with:
# ils -m -e disk.img | mactime -b