Today I will introduce the volume layer tools in the Sleuth Kit (TSK). There are three tools in this category: mmstat, mmls and mmcat. As you can see, all three tools start with prefix “mm-“, which stands for “media management”.
To test the tools, I first created an image of a flash drive in Windows system via AccessData’s FTK Imager. The process is simple:
First choose “Create Disk Image…” in FTK’s “File” menu.
Then select “Physical Drive” as source evidence type.
In the “Select Drive” dialog box, select the USB drive.
It then asks you the name of the image file to be created. Here I named it as “physicalUSBraw.001”. Then the FTK Imager started the creation of a bit-to-bit image of the flash drive. It took several minutes for this 1GB drive. After image file was created, it was then copied to the Linux system. The three volume layer tools can then be used to analyze this simple image.
First look at the mmstat tool. Type
mmstat to read information about it. The appeared message is:
mmstat [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] [-t vstype] image [images] -t vstype: The volume system type (use '-t list' for list of supported types) -i imgtype: The format of the image file (use '-i list' for list of supported types) -b dev_sector_size: The size (in bytes) of the device sectors -o imgoffset: Offset to the start of the volume that contains the partition system (in sectors) -v: verbose output -V: print the version
The allowed arguments of this tool are listed. It also tells us that we check what image and partition types are supported by using
-i list and
-t list arguments. The detailed lists are:
$ mmstat -i list Supported image format types: raw (Single or split raw file (dd)) aff (Advanced Forensic Format) afd (AFF Multiple File) afm (AFF with external metadata) afflib (All AFFLIB image formats (including beta ones)) $ mmstat -t list Supported partition types: dos (DOS Partition Table) mac (MAC Partition Map) bsd (BSD Disk Label) sun (Sun Volume Table of Contents (Solaris)) gpt (GUID Partition Table (EFI))
Try this tool on the image file just created. The mmstat gives the type of partition system:
$ mmstat physicalUSBraw.001 dos
So here mmstat tells us the flash drive uses DOS partition system. This is a widely used partition used in i386 / x86 machines. The beginning sector of this partition system is Master Boot Record (MBR). MBR stores information of all partitions. To read information in MBR, we have to use the next tool: mmls.
The mmls tool can be used to display the MBR and partition table. Available options are:
$ mmls Missing image name mmls [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-BrvV] [-aAmM] [-t vstype] image [images] -t vstype: The type of volume system (use '-t list' for list of supported types) -i imgtype: The format of the image file (use '-i list' for list supported types) -b dev_sector_size: The size (in bytes) of the device sectors -o imgoffset: Offset to the start of the volume that contains the partition system (in sectors) -B: print the rounded length in bytes -r: recurse and look for other partition tables in partitions (DOS Only) -v: verbose output -V: print the version Unless any of these are specified, all volume types are shown -a: Show allocated volumes -A: Show unallocated volumes -m: Show metadata volumes -M: Hide metadata volumes
Basically, they are very similar to those in mmstat.
Now let us see what mmls can find in the disk image of flash drive.
$ mmls physicalUSBraw.001 DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000000511 0000000512 Unallocated 02: 00:00 0000000512 0001957887 0001957376 DOS FAT16 (0x06)
As illustrated above, mmls displayed detailed partition table. Obtained information includes sector size in bytes, starting and ending sectors of each partition (including the unallocated space), and type of each partition.
In this example, the first sector of this drive is the primary table, i.e., the MBR as described before. The only allocated partition in this drive starts in sector offset 512. This is a very important number, which can be used in later analysis. The file system of this partition is FAT16. Knowing all partitions of the disk via mmls, we can use other tools in TSK to perform further analysis with the information given here.
The last tool in this catalog is mmcat. Type
mmcatto see its information:
mmcat [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] [-t vstype] image [images] part_num -t vstype: The type of partition system (use '-t list' for list of supported types) -i imgtype: The format of the image file (use '-i list' for list of supported types) -b dev_sector_size: The size (in bytes) of the device sectors -o imgoffset: Offset to the start of the volume that contains the partition system (in sectors) -v: verbose output -V: print the version
The usage of mmcat is streaming one partition in the image to standard output. This is very useful if you want to extract a partition in the image to a separate file. To do that, use the mmcat tool and redirect output stream to a file. Here I use the following command as an example. This command copied the whole FAT16 partition in the flash drive image to a new file called PartitionNo2.001:
$ mmcat physicalUSBraw.001 2 > PartitionNo2.001
Let us dissect the command. The
mmcat is the command followed by several arguments. The
physicalUSBraw.001 is the image containing the target partition. Since there are multiple partitions, either allocated or unallocated, in a disk, we have to specify which one is the target. The mmcat uses partition number to do this. If you look at the partition table showed in previous example displayed by mmls, you can see the partition number in the beginning of each row in the partition table. So here we specify
2 as the partition number argument because it is the partition number of the partition we intend to copy. The
> PartitionNo2.001 in the end is used to redirect output stream to a file instead of simply displaying all content of the partition in console.
After executing this command, mmcat would generate an image of the FAT16 partition alone called “PartitionNo2.001”.
Another way to generate this output with the information given by mmls is “dd”.
dd is a powerful tool available in Linux used to copy data. In this example, we can create an image of the FAT16 partition by using the command
$ dd if=physicalUSBraw.001 of=ddPartition.dd bs=512 skip=512
There are four arguments in this command. Argument
if refers to the input file name while
of refers to output.
bs stands for “block size” in bytes. Since the data given by mmls is displayed as sectors, we use one sector as one block, which consists of 512 bytes. The last argument
skip is used to designate where the copying process begin. By looking at the table given by mmls command, we know that the FAT16 partition starts at sector 512. Thus, we use
skip=512 to ask dd to copy all data starting from sector 512 till the end of the image. Note the number 512 is used here instead of 511. The reason is Logical Block Address (LBA) starts at 0. The partition starts at sector 512, meaning the addresses of all previous sectors are 0-511, which is 512 in total to skip.
So now there are two partition images generated by two different tools: mmcat and dd. To check whether they are identical, use
sha256sum tool in Linux to compare their SHA256 hash values. The results are:
$ sha256sum PartitionNo2.001 198ec68d5947777971fca0b2bb07710de257aab3d803f346299deca9783dd352 PartitionNo2.001 $ sha256sum ddPartition.dd 198ec68d5947777971fca0b2bb07710de257aab3d803f346299deca9783dd352 ddPartition.dd
The identical SHA256 values prove that the two images are the same.
Basically this is how these tools are used. But they can reveal more information of a disk if combined with some other tools. I will introduce that later.