Examining forensics image

Open Source for forensics investigationUsage guide

By Chris Harrington

Windows, Linux OS or Mac The SleuthKit (TSK) Forensic capture from suspects hard drive

or portable media (from dd, FTK, encase, etc…)

Extra◦ Perl

For running mactimes.pl script

Requirements

Add a system PATH variable to use the tools freely in dos

Example: c:\sleuthkit\bin; Don’t forget to add the ‘;’ at the end of the path

Note for Windows version

In this example, the image was taken from a SD Card.◦ mmls command will read the layout of the disk◦ Command: mmls d:\suspectX.001

mmls <path/image>

Examining forensics image

The Description Win95 FAT32 (0x0b)◦ 0x0b is the partition identifier

The start sector where the partition starts◦ Start: 8192

Key information

fsstat will provide more detailed information size, layout, label etc…

Command: fstat –o <start sector> <image>

Partition in detail

List all files including hidden and deleted◦ Check other interesting parameters to filter

results Command:

fls –r –o <start sector> <image>Note: -r : Recurse on all directories

Listing files

r/r – Regular file d/d – Directory #’s – inode (where the file is located) * - Deleted file/folder

Understanding the listing

Simple output of fls

Understanding the listing

Regular file

Directory

Deleted file/folder

Inode where file is located

icat will be used to extract a file from the image

Example: extracting screenshot.png◦ Document the inode

Extracting data

Command: icat –o <start sector> <image> <inode> > <filename to save

as>

screenshot.png is extracted to C:\ in this example

Extracting a file – icat

Files marked with ‘*’

Command:icat -r –o <start sector> <image> <inode> > <filename to save as>◦ -r : Recover deleted file

Recovering deleted file

ils is used to retrieve metadata associated to a particular file

Output is in a delimited format and can be further processed (i.e. creating timelines)

Command: ils –a –o <start sector> <image> <inode>

Note: -a is for allocated inodes -A is for deleted files inodes

Metadata retrieval

st_ino | st_alloc | st_uid | st_gid | st_mtime | st_atime | st_ctime | st_crtime | st_mode | st_nlink | st_ size

1996807 | a | 0 | 0 | 1407338044 | 1408658400 | 0 | 1408731725 | 777 | 1 | 19658

Reading metadata

Allocation status – “a” for allocated inode and “f” for free inode

Owner user ID

Owner group ID

UNIX time (seconds) of last file modification

UNIX time (seconds) of last file access

UNIX time (seconds) of last inode status change

inode number

UNIX Creation time

File type and permission in octal

Size

Number of hard links

Fls output header

Using fls to create mactimes file of deleted files found on image

Command:Fls –m –d –o <start sector> <image> > output.fls

-m: output to mactimes format

-d: show deleted files only

Parsing metadata

In sleuthkit application directory (/bin) is where mactimes.pl script is

Command:perl mactimes.pl –b <location of

mactimes.fls>

Parsing using mactimes.pl

The SleuthKit contains more tools Check each tools parameters for more

functionality Scripting possibilities Remember hashing Timelines Saving costs

Notes

My contact details

C.k.harrington@gmail.com

Questions?