System Forensics

All your artifacts are belong to us.

29 03 2012

The Sleuth Kit Part 4 – TSK and netcat

sysforensics | Digital Forensics, Forensic Artifacts, mmls, Netcat, offset, The Sleuth Kit, timeline, TSK

So here we are with Part 4 of The Sleuth Kit (TSK) series of posts I am doing. I hope you have learned something so far, as I know I have. This one will be a bit shorter, but it might come in handy for you sometime.

This post will cover the commands we already learned, but we will bring Netcat into the mix and cover
how we can turn TSK and netcat into an even more powerful tool set.

Let’s get started.

First you will need the latest version of TSK and you will also need a copy of netcat that will run on Windows.

So I went ahead and decided to hop on my Windows 7 machine and run a quick mmls against \\.\PhysicalDrive0.

As you can see we are dealing with an NTFS Partition here with a starting sector of 2048, which will come in handy when we are specifying our offset when we run fls.

Now, let’s say we need to for whatever reason transfer some forensics information over the network real quick and we don’t have time for whatever reason to send the entire disk drive over netcat using dd or another imaging tool.

I’m going to hop on my Macbook Pro and set up a netcat listener, which will allow us to send information to my Macbook from our Windows 7 machine.

So here we are setting up the netcat listener:

What we are saying here is, nc (netcat) -l (listen) on 192.168.1.104 (My Macbook) via port 1234 and output anything that comes across this connection into fls.body.

Now let’s move over to the Windows machine and actually send the body file over the network onto the Macbook Pro (192.168.1.104).

So here we are actually issuing the fls command with the arguments of -r, -p, -o, and -m. -r is for recursive, -p is to specify the file path, -o is the partition offset we discovered above by running the mmls command against \\.\PhysicalDrive0, and -m is to specify the mactime format, which we will use to build our timeline. The nc -w 3 is to specify waiting 3 seconds before timing out.

Then we pipe that command through netcat. As you can see we are connecting to 192.168.1.133 on port 12345, which matches the information we specified on the Macbook when we created the netcat listener.

Ok, now it looks like everything is fine. Let’s take a look at the file we sent over the wire.

As you can see we successfully transfered it over to my Macbook by way of Netcat.

Next, you could run mactime against this and build a nice timeline of events like we did in Part 3.
This post was a bit shorter, but you would basically repeat the same type of steps for each command you wanted to run. So if you wanted to run icat or something like that you would basically replace fls with icat.
Note: If you’re going to be sending files over the wire ensure you run md5 comparisons to ensure the integrity of them.
If you want to see something specific please drop a comment and I would be happy to build a scenario around it.
Thanks for reading. 

 

Comments are currently closed.

2 thoughts on “The Sleuth Kit Part 4 – TSK and netcat

  • digital investigator dude says:
    March 31, 2012 at 9:06 pm

    hey man you might want to use cryptcat when sending a forensic capture over the wire to prevent someone from sniffing and copying the data while its being transferred.

    • Patrick Olsen says:
      March 31, 2012 at 10:37 pm

      Thanks for your comment. That’s a good point. I was looking at wrapping it up in Openssh or something like that, but didn’t get around to it. Cryptcat looks interesting, and maybe the better/easier alternative. Thanks for sharing. This is one of the main reasons I post. I enjoy getting this kind of great feedback. I wish more people commented.

Take the red pill and follow….

Recent Posts

Archives