Transcript Image File Tools - Southern Oregon University

The Sleuth Kit
Brian Carrier
Set of tools to analyze device images
Free & Open Source
●
http://Sleuthkit.org
●
http://wiki.sleuthkit.org
Image File Tools
Image File Tools
This layer contains tools for the image file format. For example, if the image format is a
split image or a compressed image.
img_stat: tool will show the details of the image format
img_cat: This tool will show the raw contents of an image file.
Disk Tools
Disk Tools
These tools can be used to detect and remove a Host Protected Area (HPA) in an ATA
disk. A HPA could be used to hide data so that it would not be copied during an
acquisition. These tools are currently Linux-only.
disk_sreset: This tool will temporarily remove a HPA if one exists. After the disk is reset,
the HPA will return.
disk_stat: This tool will show if an HPA exists.
Volume System Tools
Volume System Tools
These tools take a disk (or other media) image as input and analyze its partition
structures. Examples include DOS partitions, BSD disk labels, and the Sun Volume Table
of Contents (VTOC). These can be used find hidden data between partitions and to
identify the file system offset for The Sleuth Kit tools. The media management tools
support DOS partitions, BSD disk labels, Sun VTOC, and Mac partitions.
mmls: Displays the layout of a disk, including the unallocated spaces.
mmstat: Display details about a volume system (typically only the type).
mmcat: Extracts the contents of a specific volume to STDOUT.
File System Tools
File System Layer Tools
These file system tools process general file system data, such as the layout, allocation
structures, and boot blocks
fsstat: Shows file system details and statistics including layout, sizes, and labels.
File Name Layer Tools
File Name Layer Tools
These file system tools process the file name structures, which are typically located in the
parent directory.
ffind: Finds allocated and unallocated file names that point to a given meta data structure.
fls: Lists allocated and deleted file names in a directory.
Meta Data Layer Tools
Meta Data Layer Tools
These file system tools process the meta data structures, which store the details about a
file. Examples of this structure include directory entries in FAT, MFT entries in NTFS, and
inodes in ExtX and UFS.
icat: Extracts the data units of a file, which is specified by its meta data address (instead
of the file name).
ifind: Finds the meta data structure that has a given file name pointing to it or the meta
data structure that points to a given data unit.
ils: Lists the meta data structures and their contents in a pipe delimited format.
istat: Displays the statistics and details about a given meta data structure in an easy to
read format.
Data Unit Layer Tools
Data Unit Layer Tools
These file system tools process the data units where file content is stored. Examples of
this layer include clusters in FAT and NTFS and blocks and fragments in ExtX and UFS.
blkcat: Extracts the contents of a given data unit.
blkls: Lists the details about data units and can extract the unallocated space of the file
system.
blkstat: Displays the statistics about a given data unit in an easy to read format.
blkcalc: Calculates where data in the unallocated space image (from blkls) exists in the
original image. This is used when evidence is found in unallocated space.
Image File Tools
●
img_stat - displays details about the disk image
img_stat
Image Formats
img_stat
In Action
IMAGE FILE INFORMATION
-------------------------------------------Image Type: raw
Size in bytes: 2000683008
Media Management Tools
●
mmls – displays the layout of the disk
–
Locates the various partitions
Image Types
Volume Types
In Action
●
Image type
●
Sector size
●
Partition tables
●
Partition start, end, length, and type
●
Shows unallocated space as separate entries
●
Slot for multiple partition tables as in extended partitions
This is the
Partition
Number
sansforensics@SIFT-laptop:/cases/RED$ mmls red.001
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
01:
02:
03:
04:
Slot
----00:00
00:01
-----
Start
0000000000
0000000062
0001922000
0003905504
End
0000000061
0001921999
0003905503
0003907583
Length
0000000062
0001921938
0001983504
0000002080
Description
Unallocated
Win95 FAT32 (0x0C)
NTFS (0x07)
Unallocated
Media Management Tools
●
mmcat - extracts the contents of specific
partition in an image
–
Copies to a separate file
–
Get offset, type, sector size etc. from mmls
–
part_num: from column #1 in mmls
In Action
sansforensics@SIFT-laptop:/cases/REDD$ mmcat red.001 2 > fat.red
In Action
sansforensics@SIFT-laptop:/cases/REDD$ mmcat red.001 3 > ntfs.red
Details of a File System
●
fsstat fat.red
–Must
be given an image of the partition.
Extracted using
●
–For
●
example: fat.red or ntfs.red
However if you know the offset
–fsstat
-o 62 red.001 works also
fsstat – FAT Part 1
fsstat – FAT Part 2
fsstat – NTFS Part 1
fsstat – NTFS Part 2
fls – File/Dir Listings
●
List all directories and files in an image
–
Inodes or MFT entries, etc.
–
Full path
●
List file types
●
List MAC dtg's
●
Lists deleted or undeleted files only
fls - Usage
fls in Action
Get the correct offset
to the correct partition.
These are the FAT entries.
fls in Action
Get the correct offset
to the correct partition.
These are the MFT entries.
istat – Usage (FAT)
●
Lists details of a metadata structure
●
istat – inode # (mft #, FAT entry)statistics
–
File attributes
–
File name
–
Size
–
MAC Times (FAT), (NTFS), both $SA, $FILE_NAME
–
Sectors allocated, $DATA info
istat in Action with FAT
istat in Action with NTFS
ffind - Owner of a data block
●
Finds the name of the file or directory using a
given inode, FAT entry, or MFT entry
●
-a: all occurances
●
-d: deleted entries only
●
-u: undeleted entries only
ffind – in Action
icat – Display a File
●
Output the contents of a file based on its inode
number
●
●
●
Usual calling parameters
-r: recover deleted file
-s: displays slack space at end of file
icat – in action
icat – in action
icat – in action
Grabbing the MFT for analyseMFT