Session 08 - Graphic Image Location and Display

Requirements:

  • A Linux machine
  • Sleuthkit installed on the Linux machine
  • practical.floppy.dd (Grundy's Tutorial)

Preparing for the Task

Create an analysis directory, and a mount sub-directory, unless you've already done so. Here we'll make use of the -p flag to create any missing sub-directories. If you get an error, then it's likely that you've already created these directories, so don't follow this blindly, double-check!

$ mkdir -p ~/analysis/mount

In case you've already created the analysis directory, double-check that it is empty (excluding the mount sub-directory of course).

$ ls -lah ~/analysis

Mount the forensic image to the just created directory. You should already be acquainted with the flags ro,loop (note the lack of a space after the comma). If you do not remember what these mean then refer to the manual page for the mount command. I'm assuming you've saved the practical.floppy.dd directly in your home directory, if this is not the case, then you'll need to adapt the path accordingly.

$ mount -o ro,loop ~/practical.floppy.dd ~/analysis/mount

Start the Task

Use the find command to search for anything that is a file (-type f). What other types exist? Check it out in the manual page for find. You will also find some more useful flags in the manual page, some of which we will be using here.

$ find ~/analysis/mount/ -type f

The find command is very powerful. One of the wonderful things it can do is pass what it has found to other tools for further processing. This can be done a number of ways, but here are two of the most common ones. The first one will use find’s built-in execution function and pass the found elements on to file for identification (using xargs as a helper).

$ find ~/analysis/mount/ -type f | xargs file

It looks as if the output needs to be modified to be more useful. Check the manual pages for find and xargs respectively to see what the added flags do.

$ find ~/analysis/mount/ -type f -print0 | xargs --null file

To refresh your memory, the magic file is used by the file command to identify files and determine their file type (i.e., JPEG, AVI, MP3, Word Document, etc.). The magic file shipped with any newer Linux system has switched over to a binary format that cannot be easily read using a normal text editor. However, file can still easily work with old-style magic files as you will see shortly.

You can also create your own magic file and add some information to each file type (e.g., "_image_") you want to identify to help you process your results further. Launch the nano (or vim) editor and create your own magic file using the content from the next step.

$ nano magic.short or $ vim magic.short (remember you can quit vim by pressing Esc then :q!)

Content of magic.short is as follows. Yes, you should be typing this in. The spaces are intentional and you should ensure that the file looks exactly as it is printed here.

0   string      \x89PNG     PNG _image_ data,
0   string      GIF8        GIF _image_ data
0   string      BM          PC bitmap data _image_
0   beshort     0xffd8      JPEG _image_ data

Now use that new magic file and pass it on to file using the -m flag. You will be using your custom magic file and because you have added an unambiguous string ("_image_") you can easily grep for the files that interest you. You will also be using awk to format the final output a bit.

$ find ~/analysis/mount/ -type f -print0 | xargs --null file -m ~/magic.short | grep "_image_" | awk -F: '{print $1}'

The same as above, but this time you will format the final output using awk into something a bit more meaningful.

$ find ~/analysis/mount/ -type f -print0 | xargs --null file -m ~/magic.short | grep "_image_" | awk -F: '{print "This is an image:\t" $1}'

Here you will add some HTML code to your awk output which will have its placeholders ($1) dynamically filled by awk. At this step it should be rather obvious how this is useful.

$ find ~/analysis/mount/ -type f -print0 | xargs --null file -m ~/magic.short | grep "_image_" | awk -F: '{print "<p><a href=\""$1"\" target=dynamic>"$1"</a></p>"}' > ~/analysis/image_list.html

Have a look at the newly created HTML file which was built using the above command. Depending on your distribution you might have access to either firefox or chromium-browser, or both, to view web pages. Therefore, substitute firefox for chromium-browser if necessary.

$ firefox ~/analysis/image_list.html

Unfortunately that is not a very user-friendly way of viewing images in a browser. Too much clicking involved. So, instead create a new HTML file which will load the previously generated HTML file and add a frame for each image clicked on, which will make viewing a bit easier.

$ nano ~/analysis/image_view.html or use vim

<html>
    <frameset cols="40%,60%">
        <frame name="image_list" src="image_list.html">
        <frame name="dynamic" src="">
    </frameset>
</html>

Now view the file and click on the images again. Neat, right?

$ firefox image_view.html

Don't forget to unmount the practical.floppy.dd once you're done!

$ umount ~/analysis/mount

And you're done!