Welcome to Part III. After receiving some feedback I have decided to use images that you all can download and follow along with. So, for this example we will use an image from Digital Corpora, specifically M57-Jean.
So go ahead and pull the image down and also pull down the slides. I will be using .E01
fls is a Sleuth Kit tool that is used to list files and directory names within an image. It operates at the file system layer. fls can also list file names of deleted files for a directory when the inode is supplied.
Go ahead and type fls into the command prompt without any other arguments and read the output to get an idea of what kind of command options you have.
We will first start off by running an mmls command so we can look at the partition layout and figure out what the starting sector of our NTFS partition is going to be. If you notice I specified the -i (image type) argument to tell mmls that we are looking at an ewf (expert witness format - Encase) image.
As you can see from the mmls output our NTFS partition starts at sector 63, which will allow us to specify the -o (offset) argument when we start running the fls command against our image.Let's go ahead and see if fls will even work.
It appears to be working fine. Notice how we used the -o 63 to specify where the NTFS partition is located. The -i ewf is not required to run this command, but I want you to get used to these arguments. The offset argument is required. If you don't supply the offset you will get an error that says, "Cannot determine file system type". This makes since because it doesn't know where the file system is located, which is what you're telling it by passing the offset number.
One of the neat features that fls can do is generate a bodyfile. A bodyfile is an intermediate file that we can use when we are creating a timeline of file activity.So let's see how to create a body file (note the command highlighted).
Here is a portion of the output from the bodyfile we created. We specified the -r and -m arguments. The -r says to recurse the directory entries and the -m "/" tells it to display output in mactime input format with dir/ as the actual mount point of the image.
We are going to deviate a bit and use another tool within TSK called mactime. Mactime takes the output from fls (our bodyfile) and turns it into an ASCII timeline of file activity that's human readable. In order to use mactime we needed to specify the -m when we ran the fls command above (which we did).
Let's go ahead and run mactime and convert our bodyfile into the ASCII timeline that's easier to read.
In this command I specified the -b (bodyfile to use) and -d (delimited output) so we can put it into a csv file and review it using Microsoft Excel or OpenOffice Spreadsheet, which is what I used most of the time for this. One item I didn't include that you will want to do is specify the timezone using the -z argument. To get a list of additional arguments you can simply type, mactime in your command line and it will show you a list of them.
Here is what the output looks like after I opened it up using OpenOffice Spreadsheet.
So there we have a decent timeline of file system activity by way of using the fls command along with another Sleuth Kit tool called mactime.
Now that we have this file system activity let's do a quick search against it and see if we can't locate the m57plan.xlsx Excel file. I don't see anything named this, so let's just go back to using fls and do a couple searches against the image file.
So here we are running a -r (recursive) search for only files (-F) at offest (-o) 63, which is the start of our NTFS partition. As we list these files we are grepping for anything with .xls.
As you can see we got some hits. I am specifically interested in m57biz.xls. Let's see what that file is by executing the icat command that's bundled with TSK. icat has the ability to open our image and copy a file out. In order to do this we have to specify the files inode. In order to run icat we need to figure out what the inode location of the m57biz.xls file is. If you look at the output above you will see,
- r/r 32712-128-3
- 32712 is the inode location.
So now we can run icat and also take an md5sum of it.
Now let's open up this file in OpenOffice Spreadsheet and check it out.
If we reference the slides provided to us we will see that this excel file matches the one they provided. If you note the location of the file it's located on Jean's Desktop.
Now, let's verify that the file we extracted using icat matches the actual file in the image to ensure it wasn't modified during our extraction process. To do this we will mount the image and then run an md5sum against the file.
First let's run mount_ewf.py so we can mount the E01 image we are using.
Running this command will create a raw image (non-E01) in the /mnt/ewf directory. I moved it to my desktop for ease of use purposes.
Then we can create a "jean" directory under /mnt (mount). Once the directory is created we can mount the image using the mount command.
Now let's run md5sum against the file. We knew the path to the file from the fls command above.
Looks like a match to me!
Maybe at this time you could go back into the timeline we created and see if you can spot this Excel file someplace and maybe get an idea on how/when it was created, etc.
I won't go into many details here, but from the looks of it you see Excel starting up. You can see the prefetch file was created from the excel.exe execution, you can see LNK files being created, you can see on Sun Jul 20 2008 at 1:28:03 that m57biz.xls has a MACB of ma..b, which translates to the file being modified, accessed, and created. Below that you see ..c., which is the MFT being modified. , etc.
At this point I am going to stop because I don't want to ruin this case for anyone that might want to give this a try and actually find out all the answers based off the questions contained within the slides.
I think I have given you decent enough overview of how fls can be used, and how it can be useful within your investigation(s). I personally enjoy using command line tools. You might not, but hopefully this
demonstrates how easy they are to use. Not to mention they are free.