You are on page 1of 37

The Sleuth Kit

Brian Carrier
Set of tools to analyze device images

Free & Open Source

http://Sleuthkit.org

http://wiki.sleuthkit.org

Image File Tools


Image File Tools
This layer contains tools for the image file format. For example, if the image format is a
split image or a compressed image.
img_stat: tool will show the details of the image format
img_cat: This tool will show the raw contents of an image file.

Disk Tools
Disk Tools
These tools can be used to detect and remove a Host Protected Area (HPA) in an ATA
disk. A HPA could be used to hide data so that it would not be copied during an
acquisition. These tools are currently Linux-only.
disk_sreset: This tool will temporarily remove a HPA if one exists. After the disk is reset,
the HPA will return.
disk_stat: This tool will show if an HPA exists.

Volume System Tools


Volume System Tools
These tools take a disk (or other media) image as input and analyze its partition
structures. Examples include DOS partitions, BSD disk labels, and the Sun Volume Table
of Contents (VTOC). These can be used find hidden data between partitions and to
identify the file system offset for The Sleuth Kit tools. The media management tools
support DOS partitions, BSD disk labels, Sun VTOC, and Mac partitions.
mmls: Displays the layout of a disk, including the unallocated spaces.
mmstat: Display details about a volume system (typically only the type).
mmcat: Extracts the contents of a specific volume to STDOUT.

File System Tools


File System Layer Tools
These file system tools process general file system data, such as the layout, allocation
structures, and boot blocks
fsstat: Shows file system details and statistics including layout, sizes, and labels.

File Name Layer Tools


File Name Layer Tools
These file system tools process the file name structures, which are typically located in the
parent directory.
ffind: Finds allocated and unallocated file names that point to a given meta data structure.
fls: Lists allocated and deleted file names in a directory.

Meta Data Layer Tools


Meta Data Layer Tools
These file system tools process the meta data structures, which store the details about a
file. Examples of this structure include directory entries in FAT, MFT entries in NTFS, and
inodes in ExtX and UFS.
icat: Extracts the data units of a file, which is specified by its meta data address (instead
of the file name).
ifind: Finds the meta data structure that has a given file name pointing to it or the meta
data structure that points to a given data unit.
ils: Lists the meta data structures and their contents in a pipe delimited format.
istat: Displays the statistics and details about a given meta data structure in an easy to
read format.

Data Unit Layer Tools


Data Unit Layer Tools
These file system tools process the data units where file content is stored. Examples of
this layer include clusters in FAT and NTFS and blocks and fragments in ExtX and UFS.
blkcat: Extracts the contents of a given data unit.
blkls: Lists the details about data units and can extract the unallocated space of the file
system.
blkstat: Displays the statistics about a given data unit in an easy to read format.
blkcalc: Calculates where data in the unallocated space image (from blkls) exists in the
original image. This is used when evidence is found in unallocated space.

Image File Tools

img_stat - displays details about the disk


image

img_stat
Image Formats

img_stat
In Action
IMAGE FILE INFORMATION
-------------------------------------------Image Type: raw
Size in bytes: 2000683008

Media Management Tools

mmls displays the layout of the disk

Locates the various partitions

Image Types

Volume Types

In Action

Image type

Sector size

Partition tables

Partition start, end, length, and type

Shows unallocated space as separate entries

Slot for multiple partition tables as in extended partitions

This is the
Partition
Number

sansforensics@SIFT-laptop:/cases/RED$ mmls red.001


DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
01:
02:
03:
04:

Slot
----00:00
00:01
-----

Start
0000000000
0000000062
0001922000
0003905504

End
0000000061
0001921999
0003905503
0003907583

Length
0000000062
0001921938
0001983504
0000002080

Description
Unallocated
Win95 FAT32 (0x0C)
NTFS (0x07)
Unallocated

Media Management Tools

mmcat - extracts the contents of specific partition in


an image

Copies to a separate file

Get offset, type, sector size etc. from mmls

part_num: from column #1 in mmls

In Action
sansforensics@SIFT-laptop:/cases/REDD$ mmcat red.001 2 > fat.red

In Action
sansforensics@SIFT-laptop:/cases/REDD$ mmcat red.001 3 > ntfs.red

Details of a File System


fsstat fat.red

Must

be given an image of the partition.

Extracted using

For

example: fat.red or ntfs.red

However if you know the offset

fsstat

-o 62 red.001 works also

fsstat FAT Part 1

fsstat FAT Part 2

fsstat NTFS Part 1

fsstat NTFS Part 2

fls File/Dir Listings

List all directories and files in an image

Inodes or MFT entries, etc.

Full path

List file types

List MAC dtg's

Lists deleted or undeleted files only

fls - Usage

fls in Action

Get the correct offset


to the correct partition.

These are the FAT entries.

fls in Action

Get the correct offset


to the correct partition.

These are the MFT entries.

istat Usage (FAT)

Lists details of a metadata structure

istat inode # (mft #, FAT entry)statistics

File attributes

File name

Size

MAC Times (FAT), (NTFS), both $SA, $FILE_NAME

Sectors allocated, $DATA info

istat in Action with FAT

istat in Action with NTFS

ffind - Owner of a data block

Finds the name of the file or directory using a


given inode, FAT entry, or MFT entry

-a: all occurances

-d: deleted entries only

-u: undeleted entries only

ffind in Action

icat Display a File

Output the contents of a file based on its inode


number

Usual calling parameters


-r: recover deleted file
-s: displays slack space at end of file

icat in action

icat in action

icat in action
Grabbing the MFT for analyseMFT