11 03 2012
The Sleuth Kit Part 3 – fls, mactime and icat
So here we are with Part 3 - fls. After receiving some feedback I have decided to use images that you all can download and follow along with. So, for this example we will use an image from Digital Corpora, specifically M57-Jean.
So go ahead and pull the image down and also pull down the slides. I will be using .E01
fls is a Sleuth Kit tool that is used to list files and directory names within an image. It operates at the file system layer. fls can also list file names of deleted files for a directory when the inode is supplied.
Go ahead and type fls into the command prompt without any other arguments. You should get something like this:
Missing image name
usage: fls [-adDFlpruvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-m dir/] [-o imgoffset] [-z ZONE] [-s seconds] image [images] [inode]
If [inode] is not given, the root directory is used
-a: Display “.” and “..” entries
-d: Display deleted entries only
-D: Display only directories
-F: Display only files
-l: Display long version (like ls -l)
-i imgtype: Format of image file (use ‘-i list’ for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use ‘-f list’ for supported types)
-m: Display output in mactime input format with
dir/ as the actual mount point of the image
-o imgoffset: Offset into image file (in sectors)
-p: Display full path for each file
-r: Recurse on directory entries
-u: Display undeleted entries only
-v: verbose output to stderr
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)
These are the different options we can choose from when we are working with fls. We won’t cover all of them here, but we will go over a few so you can get an idea of what kind of output they will produce. They are pretty self explanatory.
It appears to be working fine. Notice how we used the -o 63 to specify where the NTFS partition is located. The -i ewf is not required to run this command, but I want you to get used to these arguments. The offset argument is required. If you don’t supply the offset you will get an error that says, “Cannot determine file system type”. This makes since because it doesn’t know where the file system is located, which is what you’re telling it by passing the offset number.
Here is a portion of the output from the bodyfile we created. We specified the -r and -m arguments. The -r says to recurse the directory entries and the -m “/” tells it to display output in mactime input format with dir/ as the actual mount point of the image.
We are going to deviate a bit and use another tool within TSK called mactime. Mactime takes the output from fls (our bodyfile) and turns it into an ASCII timeline of file activity that’s human readable. In order to use mactime we needed to specify the -m when we ran the fls command above (which we did).
Here is what the output looks like after I opened it up using OpenOffice Spreadsheet.
So there we have a decent timeline of file system activity by way of using the fls command along with another Sleuth Kit tool called mactime.
searches against the image file.So here we are running a -r (recursive) search for only files (-F) at offest (-o) 63, which is the start of our NTFS partition. As we list these files we are grepping for anything with .xls.
So now we can run icat and also take an md5sum of it.
Now let’s open up this file in OpenOffice Spreadsheet and check it out.
Now, let’s verify that the file we extracted using icat matches the actual file in the image to ensure it wasn’t modified during our extraction process. To do this we will mount the image and then run an md5sum against the file.
Running this command will create a raw image (non-E01) in the /mnt/ewf directory. I moved it to my desktop for ease of use purposes.
Then we can create a “jean” directory under /mnt (mount). Once the directory is created we can mount the image using the mount command.
Now let’s run md5sum against the file. We knew the path to the file from the fls command above.
Looks like a match to me!
demonstrates how easy they are to use. Not to mention they are free.