Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Bruce Nikkel 4_2_sleuthkit_fs_analysis.pdf
Fichier Détails
| Cartes-fiches | 23 |
|---|---|
| Langue | English |
| Catégorie | Technique |
| Niveau | Université |
| Crée / Actualisé | 20.06.2019 / 01.07.2020 |
| Lien de web |
https://card2brain.ch/box/20190620_bruce_nikkel_42sleuthkitfsanalysis_pdf
|
| Intégrer |
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_42sleuthkitfsanalysis_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Why do we have filesystems?
Purpose of file systems:
- Organize storage device data into files and directories/folders
- maintain meta data (timestamps, permissions, attributes, etc.)
- provide additional storage features (integrity, encryption, volume managemnt, quotas, etc.)
- Create a hierarchical abstraction layer for users and programs
Name some common filesystems and some newer filesystems.
Common files systems today:
- FAT
- NTFS
- EXT4
- HFS+
Newer filesystems:
- BTRFS
- APFS
- ZFS
What is the goal of filesystem forensics?
Why filesystem forensics is doen:
- identify the filesystem used
- recover files (including deletd files)
- recover file fragments (slack, unallocated areas)
- find attempts to hide data (change *.jpg to *.exe)
- hash individual files for search and ignore (exclusion)
- analyze meta data (timestamps, ownership, etc.)
- evidence from corrupted, partially wiped filesystems
- reconstruct past events with timelines
- special topics: raid, journals, encryption
check what filesystems are supported by TSK (sluethkit)
fsstat -f list
What areas are forensicly interesting on a storage drive?
Areas of forensic interest on a storage drive:
- sector - the smalles accessible unit of a drive
- block - consecutive sectors, smalles accessible unit on fss
- allocated blocks - fs blocks that are allocated to files
- unallocated blocks - fs blocks that are not allocated to files (previously allocated data may still exist)
- inodes - meta data describing files and directories (also MFT)
- interpartion gaps - (mmls) possible overwritten filesystems [Forensic term "slack" space]
- volume slack - between end of filesystem and end of partition
- file slack - between end of file and end of block
- ram slack - between end of flile and end of sector
- less important - 4k sectors, OSs are wiping data, TRIM
(same meaning: directories=folders, pratitions=volumes)
What are the two ways to access a filesystem for analysis?
Via normal kernel devices:
- raw devices (/dev/sda, /dev/mmcblk0, /dev/nvme0n1)
- partition devices (/dev/sda1 or /dev/nvme0n1p1)
Kernel loop devices can be created or removed from a forensic image:
- /dev/loop*
- $ sudo losetup -find -partscan -read-only image.dd
- $ sudo losetup -D loop0
Via calculated offsets (be careful, check the units!):
- byte offsets (character offsets could be 2 bytes - unicode)
- sector offsets (sector sizen is not always 512 bytes)
- block offsets (rememger to subract the partition sector offset)
- use shell math: $ echo $((1024000 / 512))
Do forensic tools require devices or images need to be mounted?
Forensic analysis tools act directly on the device, or on a forensically acquired image - no mounting needed.
I know the drive sector, what is the filesystem block?
# echo $(((sectornumber-partitionoffset)/blocksize))
how do can you find out if the filesystem block allocated?
# blkstat /dev/sdb1 1025
I know the block, what is the allocated inode?
# ifind -d 1025 /dev/sdb1
I know the inode, what is the filename?
# ffind /dev/sdb1 14
I know the filename, what is the inode?
# ifind -n "hello.txt" /dev/sdb1
I want more info about an inode:
# istat /dev/sdb1 14
What is an Inode?
An inode is a data structure on a filesystem on Linux and other Unix-like operating systems that stores all the information about a file except its name and its actual data.
What tools can be used for extracting sectors and blocks?
- Sleuthkit's blkcat
- dd
Sleuthkit's blkcat is like dd, but is more filesystem aware.
Some examples:
extract drive sectors use dd with offset:
# dd if=/dev/sda of=data.dd skip=8000 count=25
extract blocks 1000-1009 from a partition image:
#blkcat partition.dd 1000 10
extract all unallocated blocks from a filesystme:
# blkls -A partition.dd > unalloc.blkls
extract all file slack space from a file slack space from a filesystem
# blkls -s partition.dd > slack.blkls
# blkls -h image.dd 5436
For blkls readable output: "-a" for ascii, "-h" for hex, "-w" for html. Use blkcalc to map back to locations in the original image.
How can you list and extract inodes and files?
Following tools can be used:
- fls
- ils
- icat
- fcat
What tools can use to analyze the system journal?
- sleuthkit "jls": list the entries in a files system journal
- sleuthkit "jcat": extract data from a file system journal
What are the TSK (Sleuthkit) commands for analyzing partitions and forensic file formats:
- mmcat
- mmls
- mmstat
- fsstat
- img_cat
- img_stat
What are the TSK tools to analyze blocks/sectors?
- blkcalc
- blkcat
- blkls
- blkstat
TSK commands for analyzing inodes.
- icat
- ifind
- ils
- istat
- tsk_recover
TSK commands for analyzing by filname.
- fcat
- ffind
- fls
- fiwalk
TSK commands for analyzing Journaling filesystems.
- jcat
- jls
- usnjls
TSK commands for timelines.
- matchtime
- tsk_gettimes
TSK commands for searching and sorting.
- jpeg_extract
- sigfind
- sorter
- srch
- strings
- tsk_comparedir
- hfind
- tsk_loaddb
