Sleuth Kit refresher

December 28, 2019

Computer forensic skills can go stale quickly if not regularly exercised, so I spent a few minutes this morning refreshing my knowledge of The Sleuth Kit (TSK). The Sleuth Kit tools provide a simple and repeatable interface for analyzing disk images and file systems, whether for forensic or data recovery purposes.

Prerequisites

To follow along, you will need the following:

(1) An installation of The Sleuth Kit. On Debian/Ubuntu, apt-get install sleuthkit will do the job. On FreeBSD, pkg install sleuthkit will work. On Windows, we’ll need to download, verify, extract, and place the binaries somewhere in our pathPreferences may vary, and this is left as an exercise for the reader. .

(2) A disk image to play around with. The good folks at Digital Corpora have made available a sample Windows XP imageSize warning: 4GB that I’ll make use of this morning. This file is in Encase image file format, which is one of several supported by TSK.

(3) A PERL installation. If you are on Windows, take a look at Strawberry Perl.

Hashing

Preservation and validation of data integrity is fundamental to forensics, so let’s verify the hash of our disk image. If you are on a unix-like system, the tool you want is sha256sumFor an excellent alternative to the standard utilities, check out hashdeep. . On Windows, we’ll use the following command:


> certutil -hashfile nps-2009-domexusers.E01 sha256
SHA256 hash of file nps-2009-domexusers.E01:
5c52f16eddd6d1afef216d968b19e7267fbd5e3c8bb1626bfb2d8c4f36cfaa1c
CertUtil: -hashfile command completed successfully.
>

This is an older disk image, however, and no SHA256 is provided in the narrative or anywhere else that I can find. There is an MD5MD5 is deprecated and should no longer be used for most purposes. hash incorporated in the image file metadata, so we will use that to verify the download integrity. The img_stat command will inform us what the MD5 should be, but does not itself verify it:


> img_stat nps-2009-domexusers.E01
IMAGE FILE INFORMATION
--------------------------------------------
Image Type:             ewf

Size of data in bytes:  42949672960
Sector size:    512
MD5 hash of data:       8e7176524a64376631cd7dc9d90339f1

>

I walked through this analysis on a Windows machine“Hard mode” , but I cheated a bit here and used the md5sum utility included with git-bash in combination with img_cat to verify that the disk image data is unmodified.


$ PATH=$PATH:/d/Users/jts/sleuthkit-4.7.0-win32/bin
$ img_cat nps-2009-domexusers.E01 | md5sum
8e7176524a64376631cd7dc9d90339f1 *-
$

We have a match.

Getting started

Let’s jump right in and get a list of partitions on our disk image, using the mmls tool:


> mmls nps-2009-domexusers.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000062   0000000063   Unallocated
002:  000:000   0000000063   0083859299   0083859237   NTFS / exFAT (0x07)
003:  -------   0083859300   0083886079   0000026780   Unallocated

>

Looks like we have one file system, likely NTFSfsstat -o 63 nps-2009-domexusers.E01 to confirm , starting at sector offset 63. We can dig deeper by feeding that offset into fls:


> fls -o 63 nps-2009-domexusers.E01
r/r 4-128-4:    $AttrDef
r/r 8-128-2:    $BadClus
r/r 8-128-1:    $BadClus:$Bad
r/r 6-128-1:    $Bitmap
r/r 7-128-1:    $Boot
d/d 11-144-4:   $Extend
r/r 2-128-1:    $LogFile
r/r 0-128-1:    $MFT
r/r 1-128-1:    $MFTMirr
r/r 9-144-16:   $Secure:$SDH
r/r 9-144-17:   $Secure:$SII
r/r 9-128-18:   $Secure:$SDS
r/r 10-128-1:   $UpCase
r/r 3-128-3:    $Volume
r/r 7445-128-1: AUTOEXEC.BAT
r/r 3516-128-3: boot.ini
r/r 7444-128-1: CONFIG.SYS
d/d 3524-144-6: Documents and Settings
r/r 7446-128-1: IO.SYS
r/r 25743-128-1:        IPH.PH
r/r 7447-128-1: MSDOS.SYS
d/d 29222-144-1:        MSOCache
r/r 3487-128-3: NTDETECT.COM
r/r 3483-128-3: ntldr
r/r 27-128-1:   pagefile.sys
d/d 3993-144-6: Program Files
d/d 29184-144-1:        RECYCLER
d/d 3522-144-6: System Volume Information
d/d 28-144-6:   WINDOWS
V/V 36880:      $OrphanFiles

>

If we wish, we can easily retrieve the content of files. Let’s see what’s in that boot.ini file with fcat:


> fcat -o 63 boot.ini nps-2009-domexusers.E01
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

>

Brings back some memories, that.

Going a bit deeper

All of this is fine and good, but of limited investigative power. Just about the minimum useful thing we can do is create a file system modification timeline, which can be incredibly useful in reconstructing events. Let’s use the included mactime.pl PERL utility and get that done:


> fls -rm c -o 63 nps-2009-domexusers.E01 > allocated.mac
> ils -m -o 63 nps-2009-domexusers.E01 > unalloc.mac
> copy allocated.mac + unalloc.mac bodyfile.mac
allocated.mac
unalloc.mac
        1 file(s) copied.
> mactime.pl -b bodyfile.mac > timeline.txt

The resulting timeline file is a glorious, reconstructed blow-by-blow account of activity on the subject file system. For more information on how to read it, see the fine wiki page.

Where to from here?

We’ve only just scratched the surface in this refresher. Next time we discuss forensics, we’ll look at some common sources of data for reconstructing application and OS-level user activity on Windows 10, and some ways to start automating this process at scale.

Sleuth Kit refresher - December 28, 2019 - Tom Stowell