The Sleuth Kit Part 4 – TSK and netcat

So here we are with Part 4 of The Sleuth Kit (TSK) series of posts I am doing. I hope you have learned something so far.

This post will cover the commands we already learned, but we will bring Netcat into the mix and cover
how we can turn TSK and netcat into an even more powerful tool set.

First you will need the latest version of TSK and you will also need a copy of netcat that will run on Windows.

So I went ahead and decided to hop on my Windows 7 machine and run a quick mmls against \.\PhysicalDrive0.

Silvrback blog image

As you can see we are dealing with an NTFS Partition here with a starting sector of 2048, which will come in handy when we are specifying our offset when we run fls.

Now, let's say we need to for whatever reason transfer some forensics information over the network real quick and we don't have time for whatever reason to send the entire disk drive over netcat using dd or another imaging tool.

I'm going to hop on my Macbook Pro and set up a netcat listener, which will allow us to send information to my Macbook from our Windows 7 machine.

So here we are setting up the netcat listener:

Silvrback blog image

What we are saying here is, nc (netcat) -l (listen) on 192.168.1.104 (My Macbook) via port 1234 and output anything that comes across this connection into fls.body.

Silvrback blog image

Now let's move over to the Windows machine and actually send the body file over the network onto the Macbook Pro (192.168.1.104).

Silvrback blog image

So here we are actually issuing the fls command with the arguments of -r, -p, -o, and -m. -r is for recursive, -p is to specify the file path, -o is the partition offset we discovered above by running the mmls command against \.\PhysicalDrive0, and -m is to specify the mactime format, which we will use to build our timeline. The nc -w 3 is to specify waiting 3 seconds before timing out.

Then we pipe that command through netcat. As you can see we are connecting to 192.168.1.133 on port 12345, which matches the information we specified on the Macbook when we created the netcat listener.

Ok, now it looks like everything is fine. Let's take a look at the file we sent over the wire.

Silvrback blog image

As you can see we successfully transferred it over to my Macbook by way of Netcat.

Next, you could run mactime against this and build a nice timeline of events like we did in Part III

This post was a bit shorter, but you would basically repeat the same type of steps for each command you wanted to run. So if you wanted to run icat or something like that you would basically replace fls with icat.