Scribd Logo
Upload

Welcome to Scribd!

  • The Sleuth Kit: Brian Carrier Set of Tools To Analyze Device Images

    Uploaded by

    Syeda Ashifa Ashrafi Papia
    108 views37 pages
    TSK

    Original Title

    TSK

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    TSK

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    108 views37 pages

    The Sleuth Kit: Brian Carrier Set of Tools To Analyze Device Images

    Uploaded by

    Syeda Ashifa Ashrafi Papia
    TSK

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 37

    The Sleuth Kit

    Brian Carrier
    Set of tools to analyze device images

    Free & Open Source

    http://Sleuthkit.org

    http://wiki.sleuthkit.org

    Image File Tools


    Image File Tools
    This layer contains tools for the image file format. For example, if the image format is a
    split image or a compressed image.
    img_stat: tool will show the details of the image format
    img_cat: This tool will show the raw contents of an image file.

    Disk Tools
    Disk Tools
    These tools can be used to detect and remove a Host Protected Area (HPA) in an ATA
    disk. A HPA could be used to hide data so that it would not be copied during an
    acquisition. These tools are currently Linux-only.
    disk_sreset: This tool will temporarily remove a HPA if one exists. After the disk is reset,
    the HPA will return.
    disk_stat: This tool will show if an HPA exists.

    Volume System Tools


    Volume System Tools
    These tools take a disk (or other media) image as input and analyze its partition
    structures. Examples include DOS partitions, BSD disk labels, and the Sun Volume Table
    of Contents (VTOC). These can be used find hidden data between partitions and to
    identify the file system offset for The Sleuth Kit tools. The media management tools
    support DOS partitions, BSD disk labels, Sun VTOC, and Mac partitions.
    mmls: Displays the layout of a disk, including the unallocated spaces.
    mmstat: Display details about a volume system (typically only the type).
    mmcat: Extracts the contents of a specific volume to STDOUT.

    File System Tools


    File System Layer Tools
    These file system tools process general file system data, such as the layout, allocation
    structures, and boot blocks
    fsstat: Shows file system details and statistics including layout, sizes, and labels.

    File Name Layer Tools


    File Name Layer Tools
    These file system tools process the file name structures, which are typically located in the
    parent directory.
    ffind: Finds allocated and unallocated file names that point to a given meta data structure.
    fls: Lists allocated and deleted file names in a directory.

    Meta Data Layer Tools


    Meta Data Layer Tools
    These file system tools process the meta data structures, which store the details about a
    file. Examples of this structure include directory entries in FAT, MFT entries in NTFS, and
    inodes in ExtX and UFS.
    icat: Extracts the data units of a file, which is specified by its meta data address (instead
    of the file name).
    ifind: Finds the meta data structure that has a given file name pointing to it or the meta
    data structure that points to a given data unit.
    ils: Lists the meta data structures and their contents in a pipe delimited format.
    istat: Displays the statistics and details about a given meta data structure in an easy to
    read format.

    Data Unit Layer Tools


    Data Unit Layer Tools
    These file system tools process the data units where file content is stored. Examples of
    this layer include clusters in FAT and NTFS and blocks and fragments in ExtX and UFS.
    blkcat: Extracts the contents of a given data unit.
    blkls: Lists the details about data units and can extract the unallocated space of the file
    system.
    blkstat: Displays the statistics about a given data unit in an easy to read format.
    blkcalc: Calculates where data in the unallocated space image (from blkls) exists in the
    original image. This is used when evidence is found in unallocated space.

    Image File Tools

    img_stat - displays details about the disk


    image

    img_stat
    Image Formats

    img_stat
    In Action
    IMAGE FILE INFORMATION
    -------------------------------------------Image Type: raw
    Size in bytes: 2000683008

    Media Management Tools

    mmls displays the layout of the disk

    Locates the various partitions

    Image Types

    Volume Types

    In Action

    Image type

    Sector size

    Partition tables

    Partition start, end, length, and type

    Shows unallocated space as separate entries

    Slot for multiple partition tables as in extended partitions

    This is the
    Partition
    Number

    sansforensics@SIFT-laptop:/cases/RED$ mmls red.001


    DOS Partition Table
    Offset Sector: 0
    Units are in 512-byte sectors
    01:
    02:
    03:
    04:

    Slot
    ----00:00
    00:01
    -----

    Start
    0000000000
    0000000062
    0001922000
    0003905504

    End
    0000000061
    0001921999
    0003905503
    0003907583

    Length
    0000000062
    0001921938
    0001983504
    0000002080

    Description
    Unallocated
    Win95 FAT32 (0x0C)
    NTFS (0x07)
    Unallocated

    Media Management Tools

    mmcat - extracts the contents of specific partition in


    an image

    Copies to a separate file

    Get offset, type, sector size etc. from mmls

    part_num: from column #1 in mmls

    In Action
    sansforensics@SIFT-laptop:/cases/REDD$ mmcat red.001 2 > fat.red

    In Action
    sansforensics@SIFT-laptop:/cases/REDD$ mmcat red.001 3 > ntfs.red

    Details of a File System


    fsstat fat.red

    Must

    be given an image of the partition.

    Extracted using

    For

    example: fat.red or ntfs.red

    However if you know the offset

    fsstat

    -o 62 red.001 works also

    fsstat FAT Part 1

    fsstat FAT Part 2

    fsstat NTFS Part 1

    fsstat NTFS Part 2

    fls File/Dir Listings

    List all directories and files in an image

    Inodes or MFT entries, etc.

    Full path

    List file types

    List MAC dtg's

    Lists deleted or undeleted files only

    fls - Usage

    fls in Action

    Get the correct offset


    to the correct partition.

    These are the FAT entries.

    fls in Action

    Get the correct offset


    to the correct partition.

    These are the MFT entries.

    istat Usage (FAT)

    Lists details of a metadata structure

    istat inode # (mft #, FAT entry)statistics

    File attributes

    File name

    Size

    MAC Times (FAT), (NTFS), both $SA, $FILE_NAME

    Sectors allocated, $DATA info

    istat in Action with FAT

    istat in Action with NTFS

    ffind - Owner of a data block

    Finds the name of the file or directory using a


    given inode, FAT entry, or MFT entry

    -a: all occurances

    -d: deleted entries only

    -u: undeleted entries only

    ffind in Action

    icat Display a File

    Output the contents of a file based on its inode


    number

    Usual calling parameters


    -r: recover deleted file
    -s: displays slack space at end of file

    icat in action

    icat in action

    icat in action
    Grabbing the MFT for analyseMFT

    You might also like