Using Sleuth Kit 05 - File listing tool


Digital forensic examiners extract useful information from files. The Sleuth Kit provides powerful tool to list files contained in a partition. This tool is fls.

The basic format of fls is: fls [partition_image] [[inode]].

The inode value is optional.

As a simple example, suppose we want to list files in the root folder of partition image “logicalUSBraw.001”. Simply use:

$ fls logicalUSBraw.001

What if what we have is a whole disk image? Of course we can use mmcat to extract the target partition to a new image file and proceed with fls. But an easier method will be using the offset value of the target partition given by the mmls tool and combining it with -o argument.

...Read more

Using Sleuth Kit 04 - Misleading result of mmls


As the previous post showed, mmls is a very useful tool when being used to list all partitions and unallocated space on a disk. It not only shows the starting and ending sector, but also gives the information about the type of the partition. However, this piece of information could be wrong and misleading.

In the previous example, I introduced how the mmls recognizes the type of the file system of a partition. It reads the partition table record, finds the partition type flag, then determine the partition type based on the value. But the value of this flag can be modified manually, which means the mmls tool may provide wrong information about the partition type.

Let us see an experiment. In this experiment, I created a partition on a USB drive then modified the partition table record to mislead the mmls tool. This experiment is done in OpenSUSE OS with the help of YaST2 Partitioner program.

...Read more

Using Sleuth Kit 03 - Using Volume Analysis Tools


In a previous post, I showed the basic use of the Sleuth Kit’s volume tools mm-. An image of a FAT16 flash drive was used as example. But in order to learn more details about volume analysis, it will be more helpful to know how these tools are used to parse partition information from the image.

In the example I mentioned above, mmls was used to display partitions of the image. The command and output are:

$ mmls physicalUSBraw.001

DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000511   0000000512   Unallocated
02:  00:00   0000000512   0001957887   0001957376   DOS FAT16 (0x06)

From the result we know that the partition system used in this image is DOS. How does mmls know this? It knows this from Master Boot Record (MBR), namely the “Primary Table” row in the list. MBR usually locates in the first sector of the disk. It contains lots information of how the disk is partitioned. So it will be very helpful to extract it from the image alone for further analysis. Use the following command to extract the partition table and save it in a file called “MBR”.

$ dd if=physicalUSBraw.001 of=MBR count=1

The command is straightforward. The only part that needs to be explained is an argument bs=512 is omitted because 512 is the default block size value. Thus this command uses dd and export the first 512 bytes, namely the first sector of the disk image.

...Read more

Choose a Nice Code Typeface for the Blog


Note: In this article, I will use the term “typeface” instead of the more popular term “font”. The reason can be found here.

Everyone loves to read an article that looks nice and clean. For an IT blog, since large paragraphs of codes often appear, it is very important to choose a good typeface to display codes, which comforts readers significantly in relative to a random one.

Different programmers may have different opinions about how a “nice” typeface looks like. Nevertheless, there are still some criteria accepted by the majority of programmers about good code typeface:

  • It should be in monospace family, meaning every character should has the same width.
  • The edge should be smooth enough.
  • Some similar characters should be able to be distinguished easily. For example, letter ‘O’ and digit ‘0’, letter ‘l’ and digit ‘1’.
...Read more

Using Sleuth Kit 02 - Volume Analysis Tools


Today I will introduce the volume layer tools in the Sleuth Kit (TSK). There are three tools in this category: mmstat, mmls and mmcat. As you can see, all three tools start with prefix “mm-“, which stands for “media management”.

To test the tools, I first created an image of a flash drive in Windows system via AccessData’s FTK Imager. The process is simple:

...Read more

Previous Page   Page 3 of 4   Next Page

SYANG.IO © 2018