Scribd
Upload
78 views33 pages

6 Sleuth Kit Tutorial

The document provides an overview of The Sleuth Kit (TSK) version 4.9.0, detailing its architecture, layers, and tools for processing disk images and file systems. It describes various commands available for image files, disk tools, file system tools, and data recovery tools, along with examples of usage. Additionally, it outlines assignments related to retrieving deleted files and exploring new commands within TSK.

Uploaded by

yoleen74
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
78 views33 pages

6 Sleuth Kit Tutorial

The document provides an overview of The Sleuth Kit (TSK) version 4.9.0, detailing its architecture, layers, and tools for processing disk images and file systems. It describes various commands available for image files, disk tools, file system tools, and data recovery tools, along with examples of usage. Additionally, it outlines assignments related to retrieving deleted files and exploring new commands within TSK.

Uploaded by

yoleen74
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

The Sleuth Kit (TSK)

Version 4.9.0
Overview
• Autopsy vs. The Sleuth Kit
• The layer of the TSK architecture
• The tools provided by each layer of TSK
https://www.sleuthkit.org/sleuthkit/
desc.php
TSK Layers
error handling, types, and convenience functions

Can open and process disk images in various formats

create an index of
hashes and
Processing data as a volume system, e.g., DOS perform fast
partition tables lookups of them

processing data as a file system, such as FAT or NTFS.

integrates all of the previous layers


File System Layers non-essential file system data
• journals that record file
Describe the layout and system updates
general features of the file • lists that record what files
system. Allow others to have recently been
read, write updated

File and directory data units (i.e.


names (FAT file system= blocks and
FileName+ Metadata)
clusters)
files and directories
• inode structures in
UNIX
• MFT entries in NTFS,
• directory entry
structures in FAT
dis
k

see see see


white yellow sectors
foo.tx envelo inode:27 size: 10 Bytes envelo inode:-144-
t pe 3 date: 1/1/23 pe 6

Implication: We can directly read metadata


and content without using file systems
https://github.com/sleuthkit/sleuthkit/wiki/
The_Sleuth_Kit_commands

TSK Tools
Image Files
• img_stat: tool will show the details of the image format
• img_cat: This tool will show the raw contents of an image file.
Disk Tools
• disk_sreset: This tool will temporarily remove a Host Protected
Area (HPA) if one exists. After the disk is reset, the HPA will
return.
• disk_stat: This tool will show if an HPA exists.
• mmls: Displays the layout of a disk, including
the unallocated spaces.
• mmstat: Display details about a volume
system (typically only the type).
• mmcat: Extracts the contents of a specific
• tsk_comparedir: Compares a local directory hierarchy with the contents volume to STDOUT.
of raw device (or disk image). This can be used to detect rootkits.
• tsk_gettimes: Extracts all of the temporal data from the image to make
a timeline. Equivalent to running fls with the '-m' option.
• tsk_loaddb: Loads the metadata from an image into a SQLite
database. This allows other tools to be easily written in a variety of
languages and give them access to the image contents.
• tsk_recover: Extracts the unallocated (or allocated) files from a disk
image to a local directory.
File System Tools
fsstat: Shows file system details and statistics including layout, sizes, and labels.

• blkcat: Extracts the contents of a given data unit.


• blkls: Lists the details about data units and can
extract the unallocated space of the file system.
• ffind: Finds allocated and unallocated • blkstat: Displays the statistics about a given data unit
file names that point to a given meta in an easy-to-read format.
data structure (inode). • blkcalc: Calculates where data in the unallocated
• fls: Lists allocated and deleted file space image (from blkls) exists in the original image.
names in a directory. This is used when evidence is found in unallocated
space.

• icat: Extracts the data units of a file, which is specified by its meta data address (instead of
the file name).
• ifind: Finds the meta data structure that has a given file name pointing to it or the meta
data structure that points to a given data unit.
• ils: Lists the meta data structures and their contents in a pipe delimited format.
• istat: Displays the statistics and details about a given meta data structure in an easy-to-
read format.
Exam a file in USB using
TSK
a deleted file letter1.txt
Download a USB
image
tool will show the details of the
image format

Show file system details and


statistics including layout, sizes,
and labels.
List allocated and deleted file
names in a directory.

-d Display deleted entries only


Recover deleted files using inode without specifying a file name
Extract the data
units of letter1.txt
(inode15)

Display the
statistics and
details about a
given meta data
structure
Extract the contents of a given data unit.

sector
numbers

List the details about data units and can extract the
unallocated space of the file system
Extract the contents of a
given data unit in Hex

What is the size of the


sector?

echo "$((16#1ff))"
Show A file with multiple sectors

Is it possible to use icat to


recover a file ?
icat -o output_file.txt
disk_image.dd 13
Mounting a USB image
-partscan: This option tells losetup to scan the partition table in the specified disk image
(Ch01InChap01.dd) and automatically create loop devices for each partition found. This is
useful when dealing with disk images that contain multiple partitions.
--find: This option instructs losetup to find the first available loop device. When combined with
--show, it ensures that the command displays the path of the loop device that is being used.
Mount the USB Show
image content
Show the mounted
path

student is your account name


Show the disk
content
Data Recovery Tools
1. Open-source tools (free)
Data Recovery Tools
2. Professional tools (mostly paid)
Data Recovery Tools

1- Select > Proceed


2- select type > {file system = fat16 select
intel}
3- select list> Advanced
4- Use C copy files to Folder on device
Data Recovery Tools

1) Select the disk or file

2) Specify the type of files you want (e.g., JPG,


PNG…)

3) Choose the save folder

4) It starts extracting the files directly to the folder


Data Recovery Tools

1)-t jpg to extract images only

2)-i specifies the disk image

3)-o specifies the output


folder
Data Recovery Tools
Download R-Studio for Linux
Data Recovery Tools

Download R-Studio for Linux


Data Recovery Tools

install R-Studio for Linux


Assignment (part 1)
1. How many deleted files are in the disk image
Ch01InChap01.dd?
• Show evidence
2. Retrieve INCOME.XLS from dd
• Using fls
• Using icat
• Using blkcat
• Show .xls content
• Verify all three recovered files are the same
Assignment (part 2) : Try one new
command
Pick up any new command we have not covered in the
class
• What are the inputs?
• What are the outputs?
• Explain each command.
• Capture all screenshots.
• If you use your inputs, upload inputs

You might also like