Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Kartei Details
| Karten | 23 |
|---|---|
| Sprache | English |
| Kategorie | Technik |
| Stufe | Universität |
| Erstellt / Aktualisiert | 20.06.2019 / 01.07.2020 |
| Weblink |
https://card2brain.ch/box/20190620_bruce_nikkel_42sleuthkitfsanalysis_pdf
|
| Einbinden |
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_42sleuthkitfsanalysis_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Lernkarteien erstellen oder kopieren
Mit einem Upgrade kannst du unlimitiert Lernkarteien erstellen oder kopieren und viele Zusatzfunktionen mehr nutzen.
Melde dich an, um alle Karten zu sehen.
Why do we have filesystems?
Purpose of file systems:
- Organize storage device data into files and directories/folders
- maintain meta data (timestamps, permissions, attributes, etc.)
- provide additional storage features (integrity, encryption, volume managemnt, quotas, etc.)
- Create a hierarchical abstraction layer for users and programs
Name some common filesystems and some newer filesystems.
Common files systems today:
- FAT
- NTFS
- EXT4
- HFS+
Newer filesystems:
- BTRFS
- APFS
- ZFS
What is the goal of filesystem forensics?
Why filesystem forensics is doen:
- identify the filesystem used
- recover files (including deletd files)
- recover file fragments (slack, unallocated areas)
- find attempts to hide data (change *.jpg to *.exe)
- hash individual files for search and ignore (exclusion)
- analyze meta data (timestamps, ownership, etc.)
- evidence from corrupted, partially wiped filesystems
- reconstruct past events with timelines
- special topics: raid, journals, encryption
check what filesystems are supported by TSK (sluethkit)
fsstat -f list
What areas are forensicly interesting on a storage drive?
Areas of forensic interest on a storage drive:
- sector - the smalles accessible unit of a drive
- block - consecutive sectors, smalles accessible unit on fss
- allocated blocks - fs blocks that are allocated to files
- unallocated blocks - fs blocks that are not allocated to files (previously allocated data may still exist)
- inodes - meta data describing files and directories (also MFT)
- interpartion gaps - (mmls) possible overwritten filesystems [Forensic term "slack" space]
- volume slack - between end of filesystem and end of partition
- file slack - between end of file and end of block
- ram slack - between end of flile and end of sector
- less important - 4k sectors, OSs are wiping data, TRIM
(same meaning: directories=folders, pratitions=volumes)
What are the two ways to access a filesystem for analysis?
Via normal kernel devices:
- raw devices (/dev/sda, /dev/mmcblk0, /dev/nvme0n1)
- partition devices (/dev/sda1 or /dev/nvme0n1p1)
Kernel loop devices can be created or removed from a forensic image:
- /dev/loop*
- $ sudo losetup -find -partscan -read-only image.dd
- $ sudo losetup -D loop0
Via calculated offsets (be careful, check the units!):
- byte offsets (character offsets could be 2 bytes - unicode)
- sector offsets (sector sizen is not always 512 bytes)
- block offsets (rememger to subract the partition sector offset)
- use shell math: $ echo $((1024000 / 512))
Do forensic tools require devices or images need to be mounted?
Forensic analysis tools act directly on the device, or on a forensically acquired image - no mounting needed.
I know the drive sector, what is the filesystem block?
# echo $(((sectornumber-partitionoffset)/blocksize))
how do can you find out if the filesystem block allocated?
# blkstat /dev/sdb1 1025
I know the block, what is the allocated inode?
# ifind -d 1025 /dev/sdb1
I know the inode, what is the filename?
# ffind /dev/sdb1 14
I know the filename, what is the inode?
# ifind -n "hello.txt" /dev/sdb1
I want more info about an inode:
# istat /dev/sdb1 14
What is an Inode?
An inode is a data structure on a filesystem on Linux and other Unix-like operating systems that stores all the information about a file except its name and its actual data.
What tools can be used for extracting sectors and blocks?
- Sleuthkit's blkcat
- dd
Sleuthkit's blkcat is like dd, but is more filesystem aware.
Some examples:
extract drive sectors use dd with offset:
# dd if=/dev/sda of=data.dd skip=8000 count=25
extract blocks 1000-1009 from a partition image:
#blkcat partition.dd 1000 10
extract all unallocated blocks from a filesystme:
# blkls -A partition.dd > unalloc.blkls
extract all file slack space from a file slack space from a filesystem
# blkls -s partition.dd > slack.blkls
# blkls -h image.dd 5436
For blkls readable output: "-a" for ascii, "-h" for hex, "-w" for html. Use blkcalc to map back to locations in the original image.
How can you list and extract inodes and files?
Following tools can be used:
- fls
- ils
- icat
- fcat
What tools can use to analyze the system journal?
- sleuthkit "jls": list the entries in a files system journal
- sleuthkit "jcat": extract data from a file system journal
What are the TSK (Sleuthkit) commands for analyzing partitions and forensic file formats:
- mmcat
- mmls
- mmstat
- fsstat
- img_cat
- img_stat
What are the TSK tools to analyze blocks/sectors?
- blkcalc
- blkcat
- blkls
- blkstat
TSK commands for analyzing inodes.
- icat
- ifind
- ils
- istat
- tsk_recover
TSK commands for analyzing by filname.
- fcat
- ffind
- fls
- fiwalk
TSK commands for analyzing Journaling filesystems.
- jcat
- jls
- usnjls
TSK commands for timelines.
- matchtime
- tsk_gettimes
TSK commands for searching and sorting.
- jpeg_extract
- sigfind
- sorter
- srch
- strings
- tsk_comparedir
- hfind
- tsk_loaddb
-
- 1 / 23
-
