Sleuthkit Basics - wAlber47/Tech-Journal GitHub Wiki

Sleuthkit (aka TSK) is a set of tools that work with raw (dd) images and can interpret partitions and file systems to read, enumerate and work with evidence. Using this we can recover some deleted files and get information on a disk.

EWF-Tools allow the user to work with E01 files when performing digital investigations. Although many forensics tools support E01 files, many Linux utilities do not.

Setup:

  1. You should create a VHD and fill it with nested files and folders. Once created, you should delete some of these files, (using shift+delete), but keep track of which ones you deleted. Then, detach the disk, make it into a E01 file, and copy it over to your Linux machine.
  2. On your Linux terminal, you should install both ewf-tools and sleuthkit. Sleuthkit will allows us to look at the files and ewf-tools lets us work with E01 file types.
    1. sudo apt-get install ewf-tools
    2. sudo apt-get install sleuthkit

Mounting:

  1. ewfmount 'image location' 'mountpoint'

Partition Information:

  1. mmls 'image location' will give you a table that includes start/end sectors, file system type, and size of partitions on the image.
  2. Using some of this information, we can then use fsstat to look at more in-depth information on the partitions.
    1. fsstat -o 'offset' 'image location' where 'offset' is the starting SECTOR for the partition we would like to see.
    2. This will give us a lot more information than mmls but we need information from mmls in order to run fsstat.

Viewing the File System:

  1. fls -o 'offset' 'image location' lets us view the file structure of the partition and look at what files are their. It also shows us what files have been deleted from there and their nodes.
    1. "d/d" shows a directory. "r/r" shows up that it is a file\
  2. We can then use istat to look at the information of a deleted file by using the node of the file and the offset.
    1. `istat -o 'offset' 'image location' 'node'
    2. 'node' represents the next to the file when fls is run

Recovering Files:

  1. Now that we have a lot of information surrounding files on this disk. We can run commands that allow us to recover these files and pass them into a new file. istat is one of these commands.
    1. icat -o 'offset' -r 'image location' 'node' > 'new file'
    2. -r simply means recover a deleted file
    3. 'new file' represents the name of a file, you may have to include the correct extension

Assignment Page

Images