Digital forensic examiners extract useful information from files. The Sleuth
Kit provides powerful tool to list files contained in a partition. This tool
The basic format of fls is:
fls [partition_image] [[inode]].
The inode value is optional.
As a simple example, suppose we want to list files in the root folder of partition image “logicalUSBraw.001”. Simply use:
$ fls logicalUSBraw.001
What if what we have is a whole disk image? Of course we can use
extract the target partition to a new image file and proceed with fls. But an
easier method will be using the offset value of the target partition given by
mmls tool and combining it with -o argument.
As the previous post showed, mmls is a very useful tool when being used to list all partitions and unallocated space on a disk. It not only shows the starting and ending sector, but also gives the information about the type of the partition. However, this piece of information could be wrong and misleading.
In the previous example, I introduced how the mmls recognizes the type of the file system of a partition. It reads the partition table record, finds the partition type flag, then determine the partition type based on the value. But the value of this flag can be modified manually, which means the mmls tool may provide wrong information about the partition type.
Let us see an experiment. In this experiment, I created a partition on a USB drive then modified the partition table record to mislead the mmls tool. This experiment is done in OpenSUSE OS with the help of YaST2 Partitioner program....Read more
In a previous post, I showed the basic use of
the Sleuth Kit’s volume tools
mm-. An image of a FAT16 flash drive was used as example. But in order to learn
more details about volume analysis, it will be more helpful to know how these tools are used to parse partition information from the image.
In the example I mentioned above,
mmls was used to display partitions of the image. The command and output are:
$ mmls physicalUSBraw.001 DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000000511 0000000512 Unallocated 02: 00:00 0000000512 0001957887 0001957376 DOS FAT16 (0x06)
From the result we know that the partition system used in this image is DOS. How does mmls know this? It knows this from Master Boot Record (MBR), namely the “Primary Table” row in the list. MBR usually locates in the first sector of the disk. It contains lots information of how the disk is partitioned. So it will be very helpful to extract it from the image alone for further analysis. Use the following command to extract the partition table and save it in a file called “MBR”.
$ dd if=physicalUSBraw.001 of=MBR count=1
The command is straightforward. The only part that needs to be explained is an argument
bs=512 is omitted because 512 is the default block size value. Thus this command uses
dd and export the first 512 bytes, namely the first sector of the disk image.
Note: In this article, I will use the term “typeface” instead of the more popular term “font”. The reason can be found here.
Everyone loves to read an article that looks nice and clean. For an IT blog, since large paragraphs of codes often appear, it is very important to choose a good typeface to display codes, which comforts readers significantly in relative to a random one.
Different programmers may have different opinions about how a “nice” typeface looks like. Nevertheless, there are still some criteria accepted by the majority of programmers about good code typeface:
Today I will introduce the volume layer tools in the Sleuth Kit (TSK). There are three tools in this category: mmstat, mmls and mmcat. As you can see, all three tools start with prefix “mm-“, which stands for “media management”.
To test the tools, I first created an image of a flash drive in Windows system via AccessData’s FTK Imager. The process is simple:...Read more