System Forensics

All your artifacts are belong to us.

11 03 2012

The Sleuth Kit Part 3 – fls, mactime and icat

sysforensics | Digital Forensics, Forensic Artifacts, The Sleuth Kit, Timeline analysis

So here we are with Part 3 - fls. After receiving some feedback I have decided to use images that you all can download and follow along with. So, for this example we will use an image from Digital Corpora, specifically M57-Jean.

So go ahead and pull the image down and also pull down the slides. I will be using .E01

fls is a Sleuth Kit tool that is used to list files and directory names within an image. It operates at the file system layer. fls can also list file names of deleted files for a directory when the inode is supplied.

Go ahead and type fls into the command prompt without any other arguments. You should get something like this:

sansforensics@SIFT-Workstation:~$ fls
Missing image name
usage: fls [-adDFlpruvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-m dir/] [-o imgoffset] [-z ZONE] [-s seconds] image [images] [inode]
If [inode] is not given, the root directory is used
-a: Display “.” and “..” entries
-d: Display deleted entries only
-D: Display only directories
-F: Display only files
-l: Display long version (like ls -l)
-i imgtype: Format of image file (use ‘-i list’ for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use ‘-f list’ for supported types)
-m: Display output in mactime input format with
     dir/ as the actual mount point of the image
-o imgoffset: Offset into image file (in sectors)
-p: Display full path for each file
-r: Recurse on directory entries
-u: Display undeleted entries only
-v: verbose output to stderr
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)

These are the different options we can choose from when we are working with fls. We won’t cover all of them here, but we will go over a few so you can get an idea of what kind of output they will produce. They are pretty self explanatory.

Let’s get started.We will first start off by running an mmls command so we can look at the partition layout and figure out what the starting sector of our NTFS partition is going to be. If you notice I specified the -i (image type) argument to tell mmls that we are looking at an ewf (expert witness format – Encase) image.
As you can see from the mmls output our NTFS partition starts at sector 63, which will allow us to specify the -o (offset) argument when we start running the fls command against our image.Let’s go ahead and see if  fls will even work.

It appears to be working fine. Notice how we used the -o 63 to specify where the NTFS partition is located. The -i ewf is not required to run this command, but I want you to get used to these arguments. The offset argument is required. If you don’t supply the offset you will get an error that says, “Cannot determine file system type”. This makes since because it doesn’t know where the file system is located, which is what you’re telling it by passing the offset number.

One of the neat features that fls can do is generate a bodyfile. A bodyfile is an intermediate file that we can use when we are creating a timeline of file activity.So let’s see how to create a body file (note the command highlighted).

Here is a portion of the output from the bodyfile we created. We specified the -r and -m arguments. The -r says to recurse the directory entries and the -m “/” tells it to display output in mactime input format with dir/ as the actual mount point of the image.

We are going to deviate a bit and use another tool within TSK called mactime. Mactime takes the output from fls (our bodyfile) and turns it into an ASCII timeline of file activity that’s human readable. In order to use mactime we needed to specify the -m when we ran the fls command above (which we did).

Let’s go ahead and run mactime and convert our bodyfile into the ASCII timeline that’s easier to read.In this command I specified the -b (bodyfile to use) and -d (delimited output) so we can put it into a csv file and review it using Microsoft Excel or OpenOffice Spreadsheet, which is what I used most of the time for this. One item I didn’t include that you will want to do is specify the timezone using the -z argument. To get a list of additional arguments you can simply type, mactime in your command line and it will show you a list of them.

Here is what the output looks like after I opened it up using OpenOffice Spreadsheet.

So there we have a decent timeline of file system activity by way of using the fls command along with another Sleuth Kit tool called mactime.

Now that we have this file system activity let’s do a quick search against it and see if we can’t locate the m57plan.xlsx Excel file. I don’t see anything named this, so let’s just go back to using fls and do a couple
searches against the image file.So here we are running a -r (recursive) search for only files (-F) at offest (-o) 63, which is the start of our NTFS partition. As we list these files we are grepping for anything with .xls.

As you can see we got some hits. I am specifically interested in m57biz.xls. Let’s see what that file is by executing the icat command that’s bundled with TSK. icat has the ability to open our image and copy a file out. In order to do this we have to specify the files inode. In order to run icat we need to figure out what the inode location of the m57biz.xls file is. If you look at the output above you will see, “r/r 32712-128-3″. 32712 is the inode location.

So now we can run icat and also take an md5sum of it.

Now let’s open up this file in OpenOffice Spreadsheet and check it out.

If we reference the slides provided to us we will see that this excel file matches the one they provided. If you note the location of the file it’s located on Jean’s Desktop.

Now, let’s verify that the file we extracted using icat matches the actual file in the image to ensure it wasn’t modified during our extraction process. To do this we will mount the image and then run an md5sum against the file.

First let’s run mount_ewf.py so we can mount the E01 image we are using.

Running this command will create a raw image (non-E01) in the /mnt/ewf directory. I moved it to my desktop for ease of use purposes.

Then we can create a “jean” directory under /mnt (mount). Once the directory is created we can mount the image using the mount command.

Now let’s run md5sum against the file. We knew the path to the file from the fls command above.

Looks like a match to me!

Maybe at this time you could go back into the timeline we created and see if you can spot this Excel file someplace and maybe get an idea on how/when it was created, etc.
I won’t go into many details here, but from the looks of it you see Excel starting up. You can see the prefetch file was created from the excel.exe execution, you can see LNK files being created, you can see on Sun Jul 20 2008 at 1:28:03 that m57biz.xls has a MACB of ma..b, which translates to the file being modified, accessed, and created. Below that you see ..c., which is the MFT being modified. [1], etc.

At this point I am going to stop because I don’t want to ruin this case for anyone that might want to give this a try and actually find out all the answers based off the questions contained within the slides.
I think I have given you decent enough overview of how fls can be used, and how it can be useful within your investigation(s). I personally enjoy using command line tools. You might not, but hopefully this
demonstrates how easy they are to use. Not to mention they are free.

Tweet

References:

[1] http://wiki.sleuthkit.org/index.php?title=Mactime_output

, , , , , , ,

Comments are currently closed.

3 thoughts on “The Sleuth Kit Part 3 – fls, mactime and icat

Take the red pill and follow….

Recent Posts

Archives