The Sleuth Kit

Brian Carrier

Set of tools to analyze device images

Free & Open Source

● http://Sleuthkit.org● http://wiki.sleuthkit.org

Image File ToolsImage File Tools

This layer contains tools for the image file format. For example, if the image format is a split image or a compressed image.

img_stat: tool will show the details of the image format

img_cat: This tool will show the raw contents of an image file.

Disk ToolsDisk Tools

These tools can be used to detect and remove a Host Protected Area (HPA) in an ATA disk. A HPA could be used to hide data so that it would not be copied during an acquisition. These tools are currently Linux-only.

disk_sreset: This tool will temporarily remove a HPA if one exists. After the disk is reset, the HPA will return.

disk_stat: This tool will show if an HPA exists.

Volume System ToolsVolume System Tools

These tools take a disk (or other media) image as input and analyze its partition structures. Examples include DOS partitions, BSD disk labels, and the Sun Volume Table of Contents (VTOC). These can be used find hidden data between partitions and to identify the file system offset for The Sleuth Kit tools. The media management tools support DOS partitions, BSD disk labels, Sun VTOC, and Mac partitions.

mmls: Displays the layout of a disk, including the unallocated spaces.

mmstat: Display details about a volume system (typically only the type).

mmcat: Extracts the contents of a specific volume to STDOUT.

File System ToolsFile System Layer Tools

These file system tools process general file system data, such as the layout, allocation structures, and boot blocks

fsstat: Shows file system details and statistics including layout, sizes, and labels.

File Name Layer ToolsFile Name Layer Tools

These file system tools process the file name structures, which are typically located in the parent directory.

ffind: Finds allocated and unallocated file names that point to a given meta data structure.

fls: Lists allocated and deleted file names in a directory.

Meta Data Layer ToolsMeta Data Layer Tools

These file system tools process the meta data structures, which store the details about a file. Examples of this structure include directory entries in FAT, MFT entries in NTFS, and inodes in ExtX and UFS.

icat: Extracts the data units of a file, which is specified by its meta data address (instead of the file name).

ifind: Finds the meta data structure that has a given file name pointing to it or the meta data structure that points to a given data unit.

ils: Lists the meta data structures and their contents in a pipe delimited format.

istat: Displays the statistics and details about a given meta data structure in an easy to read format.

Data Unit Layer ToolsData Unit Layer Tools

These file system tools process the data units where file content is stored. Examples of this layer include clusters in FAT and NTFS and blocks and fragments in ExtX and UFS.

blkcat: Extracts the contents of a given data unit.

blkls: Lists the details about data units and can extract the unallocated space of the file system.

blkstat: Displays the statistics about a given data unit in an easy to read format.

blkcalc: Calculates where data in the unallocated space image (from blkls) exists in the original image. This is used when evidence is found in unallocated space.

Image File Tools

● img_stat - displays details about the disk image

img_statImage Formats

img_statIn Action

IMAGE FILE INFORMATION--------------------------------------------Image Type: raw

Size in bytes: 2000683008

Media Management Tools

● mmls – displays the layout of the disk– Locates the various partitions

Image Types

Volume Types

In Action● Image type

● Sector size

● Partition tables

● Partition start, end, length, and type

● Shows unallocated space as separate entries

● Slot for multiple partition tables as in extended partitions

This is thePartitionNumber

sansforensics@SIFT-laptop:/cases/RED$ mmls red.001DOS Partition TableOffset Sector: 0Units are in 512-byte sectors

Slot Start End Length Description01: ----- 0000000000 0000000061 0000000062 Unallocated02: 00:00 0000000062 0001921999 0001921938 Win95 FAT32 (0x0C)03: 00:01 0001922000 0003905503 0001983504 NTFS (0x07)04: ----- 0003905504 0003907583 0000002080 Unallocated

Media Management Tools● mmcat - extracts the contents of specific partition in

an image– Copies to a separate file

– Get offset, type, sector size etc. from mmls– part_num: from column #1 in mmls

In Actionsansforensics@SIFT-laptop:/cases/REDD$ mmcat red.001 2 > fat.red

In Actionsansforensics@SIFT-laptop:/cases/REDD$ mmcat red.001 3 > ntfs.red

Details of a File System

●fsstat fat.red–Must be given an image of the partition.●Extracted using–For example: fat.red or ntfs.red●However if you know the offset–fsstat -o 62 red.001 works also

fsstat – FAT Part 1

fsstat – FAT Part 2

fsstat – NTFS Part 1

fsstat – NTFS Part 2

fls – File/Dir Listings

● List all directories and files in an image– Inodes or MFT entries, etc.– Full path

● List file types● List MAC dtg's● Lists deleted or undeleted files only

fls - Usage

fls in Action

Get the correct offset to the correct partition.

These are the FAT entries.

fls in Action

Get the correct offset to the correct partition.

These are the MFT entries.

istat – Usage (FAT)

● Lists details of a metadata structure● istat – inode # (mft #, FAT entry)statistics

– File attributes– File name– Size– MAC Times (FAT), (NTFS), both $SA, $FILE_NAME– Sectors allocated, $DATA info

istat in Action with FAT

istat in Action with NTFS

ffind - Owner of a data block

● Finds the name of the file or directory using a given inode, FAT entry, or MFT entry● -a: all occurances● -d: deleted entries only● -u: undeleted entries only

ffind – in Action

icat – Display a File

● Output the contents of a file based on its inode number

● Usual calling parameters● -r: recover deleted file● -s: displays slack space at end of file

icat – in action

icat – in action

icat – in action

Grabbing the MFT for analyseMFT