Session 08 - Sleuthkit
Requirements:
- A Linux machine
- Sleuthkit installed on the Linux machine
able2.ddfound inable2.tar.gz(Grundy's Tutorial)
Introduction
To complete this exercise you must ensure that you have transferred the able2.tar.gz to your forensic Virtual Machine (VM) or bare-metal machine.
Start the task
Remember to create a directory where you can do focused work, for example
~/analysisin your home directory.
Display the image attributes including the type of image and the format.
$ img_stat able2.dd
To see what this looks like on an image that has been split, use the following command. Check the manual page for split to see what the flags -d -b do.
$ split -d -b 100m able2.dd able2.split.
Note: Yes, the dot at the end is intentionally there.
List the directory contents to check how many splits were created.
$ ls -lh able2.split.0*
Now re-check the image attributes, but this time on the split files.
$ img_stat able2.split.0*
We have seen that sfdisk is used to determine partition offsets within an image. Sleuthkit has mmls for this.
$ mmls -i raw -t dos able2.split.0*
The fsstat tool provides filesystem-specific information about the filesystem (the -o option gives us our offset which we can get from sfdisk or mmls).
$ fsstat -o 10260 able2.dd
The fls command lists the filenames and directories contained in a filesystem (-F file entries, -r descend into directories, -d display deleted entries). Please see the manual page for fls for more information.
$ fls -o 10260 -Frd able2.dd
Note: Remember that all of these commands could be appended to a report using redirect (
>>) to add the output of your commands to a log file.
inodes are used to store metadata. This includes modified/accessed/changed (MAC) times and a list of all blocks allocated to a file. The following command will give you more information.
$ istat -o 10260 able2.dd 2139
The istat tool supports a number of filesystems. You should be aware of which filesystems it can handle, so you will want to list them.
$ istat -f list
It is time now to recover a deleted file. Having the inode information at the ready you can redirect the output of icat working on the referenced inode into a file.
$ icat -o 10260 able2.dd 2139 > lrkn.tgz.2139
What kind of file is this? Find out using the ever-useful file command.
$ file lrkn.tgz.2139
View the contents of the tarball archive.
$ tar -tvf lrkn.tgz.2139 | less
Instead of extracting the entire archive and then picking out the file that interests us (README file in this case), we can also simply send the contents of the file in the archive to stdout (using the O flag), which we then can redirect into a separate file.
$ tar -xvOf lrkn.tgz.2139 lrk3/README > README.2139
View the README.
$ less README.2139
And you're done!