The Sleuth Kit Part 2 – mmls and mmstat

Ok, this is part two of The Slueth Kit (TSK) series. Here is a link to Part 1 if you missed it.

This blog post is going to cover the Media Management layer as Brian Carrier likes to refer to it as. Another way of thinking about the media management layer is "partitions"; however, you will see the tools named "mm" for media management - hence "mmls", "mmstat" and "mmcat".

I'm sure most of you know how to do this already, but I wanted to cover it in case people that are new to linux, etc. come across this post.

Silvrback blog image

So let's start off by figuring out what type of system volume type we have. TSK has a tool for that and it's called mmstat. mmstat simply displays the system volume information. In this case it's dos.

Silvrback blog image

mmls:

Silvrback blog image

Let's break down the output and then we can break down the actual command we ran. We will start from left to right.

The first column where you see 00: 01: 02: 03: is simply an index.

The Slot column: shows the location in the media management structures where the partition entries came from. As an example, where we see the NTFS partition it has a slot number of 00:00, which means it is the first entry in the first partition table. If we had another partition it would be labeled: 01:00 and it would be the first entry in the second partition.

Start, End and Length are all in sectors. One benefit of the mmls output is that the length is given to you, so you don't have to subtract the ending and starting addresses when you run dd or a similar imaging tool. So in our example the NTFS length is calculated by taking 62,912,511 - 2048 and then adding 1 to it, which gives you 62,910,464. You're required to add +1 because when you subtract the starting sector from the ending sector it takes the difference between two numbers, but we need to include the last number. The example Brian Carrier gives in his book, File System Forensic Analysis is: Consider where a partition starts in sector 2 and ends in sector 4. It's size is "3". +1 for the start at 2, +1 for it being located in 3, and +1 for it ending in sector 4. If you take 4 - 2 you get, 2, but since it's actually 3, you need to add +1 to 2, which gives you 3.

Lastly the Description shows you what kind of partition it is. In our case we have some Unallocated partitions and also the NTFS partition.

Now for the actual command; mmls -t dos part2

The -t is an argument within mmls is used to specify the media management type. In our case, we ran mmstat against our image and it came back with, "dos". So I fed -t dos into the mmls command. mmls supports multiple partition types and you can find out which ones it supports by typing, mmls -t list:

Silvrback blog image

You can see below we use the -i and -t command together. The output is the same. The -i raw is just telling mmls that we have a single raw image file. If you do a -i list you will see that mmls supports: raw, aff, afd, afm, afflib, ewf, and split.

When running it against vmdk files use the -i afflib or aff. AFF stands for the Advanced Forensics Format. You can read more about afflib here.

Silvrback blog image

Let's go over a few more of those arguments. The first command we are going to run here is with the -a argument. -a tells mmls to only spit out the allocated volumes. As you can see from above, the only allocated volume was the NTFS one. So, when we run mmls -a part2 it's only giving us that back. Likewise with the -(capital)A, it's only giving us the unallocated volumes. And finally, -m is going to show us metadata volumes. You can also run -(capital)M and it will hide the metadata volumes during it's output.

Silvrback blog image

So why not use fdisk? Well, see the below fdisk output.

fdisk:

Silvrback blog image

As you can see right off away the content that's provided with mmls is much better. fdisk doesn't even show us the unallocated spaces. We also don't get the calculated length either without having to do some math.

So you're probably wondering what kind of useful information we can get from the mmls output from above and actually apply it to good use. Actually we can get some pretty good information.

  • We get a good idea as to what the partition layout is for the specific image.
  • We find out what the drive is using - 512-byte sectors
  • We can calculate the offset of the partitions and use a tool like dd to extract them for analysis. Or we can use the mount command with loop and mount it directly.
  • Maybe you don't even know what type of image you have. If you run mmstat it will spit the system volume type, which in our case was dos.

Let's take 1,2, and 3 and put them to work so you can walk away with something useful.

First we are going to run mmls against our image. Now we know the starting sector and we also know that they are in 512-byte sectors. Once we have both of these we can calculate our offset. Below I use just a quick echo command to calculate the offset so I don't have to pull up a calculator. Command line is good. Gui is evil. ;)

Silvrback blog image

So now that we know that our offset for the ntfs partition is 1,048,576 we can feed that into the mount command and mount our image for analysis - sudo mount -t ntfs -ro no,exec,loop,offset=1048576 part2 /mnt/windows_mount

Silvrback blog image

Then you see that we run the ls command in the directory that we mounted our image and we can see our windows box.

Let's cd into the /Users/[Your username]/AppData/Local/Microsoft/Windows/History/History.IE5 and checkout some index.dat files or something.

Ok, now that we are in the History.IE5 directory let's run pasco against some index.dat files.

In this case it's the MSHist012012012329120124/index.dat, which indicates this started on 01/23/2012 and ended 01/24/2012. This makes sense based on the times in the index.dat file.

Silvrback blog image

So yeah, there is a practical example of how a simple command like mmls and mmstat can lead to something larger. Another cool thing is we never left the command line once! See, it's not so bad.