• Adepto/Grab..105

• Linux Media Analysis Using Open Source Toolkits..109

• Critical Tools Overview - Hex Editors..111
• KHexedit and WinHex..112
• Critical Tools Overview - file..114

Identifies file by using a configuration file called the magic file across systems.

/usr/share/directory/magic

Usage:

file <filename>

0:25:00

/usr/share/backgrounds/images/earthfromspace.jpg
/usr/share/backgrounds/images/stonebird.jpg

Each has the same starting byte string.

Thought process number 1.

Look for header then look for footer. All in between is the image.

Side note: Vulnerability in Microsoft jpeg rendering. Heap overflow in comment string. Length always did -2 to find the comment field, so a value of less than 2 would give a really large number for a signed integer.

• Critical Tools Overview - strings..116

displays 4 or more ascii characters List byte offset of string on the image:

strings --radix=d

byteoffset–>block number–>inodenumber–>metadata–>Filename

byteoffset/block size=block number

file size and name stored in metadata

datalayer comprised of data blocks

1. Idenfiy block the string sits in.
2. Find inode number with that block.
3. Then find filename.

• Critical Tools Overview - srch_strings..118
• Critical Tools Overview - grep..119
• strings Example..122

• The Sleuth Kit Programs..126

• fsstat..134

fsstat dev_sda6.img | less

• fsstat - FAT Image..135
• fsstat - NTFS Image..138
• fsstat Examples

• dstat..142

dstat gives Allocated or Unallocated for a data unit

dstat dev_sda6.img 368055

• dcat..143

dcat displays contents of a data unit

dcat dev_sda6.img 368055 |less

for hex display:

dcat -h dev_sda6.img 368055 |less

• dls..145

lists contents of unallocatted data (by default)

1. e dhoe sll blocks
2. l lists details
3. s show slack space (no slack in linux)

extract all unallocated data:

dls dev_sda6.img > dev_sda6.dls

extract between 8000 and 9000:

dls -el dev_sda6 8000-9000

• Extracting Slack Space..148
• dcalc..149

since the blocks are now not in the same sequence because the allocated blocks are removed, use dcalc to cross to the origial block unumber

dcalc dev_sda6.img -u 233429

gives:

368055

• lazarus..150

takes every single data block and runs file against it.

• foremost..156

carves out files based and sorts them on file header

mkdir /images/unixforensics/foremost_gzip (need to create a directory where the output will go)
foremost -o /images/unixforensics/foremost_gzip -c /usr/local/src/foremost.conf dev_sda6.dls

may need to remove the 13 data block. In the example, open in khexedit and got to blocksize(4096)*12 position. Delete blocksize(4096) amount of data.

in audit.txt, the gzip file is listed at byte offset 98304

98304/4096=24 (block number in unallocated dls file)

dcalc dev_sda6.img -u 24
8171  (block number)

• Add the .gz File Type to foremost..160
• Data Layer Review..163

• ifind..165

give ifind the block and it will return an inode number that is/was associated with it.

ifind dev_sda6.img -d 8171
2880

• istat..167

displays metadata information about an inode

istat dev_sda6.img 2880

• istat - FAT Image Example..169
• istat - NTFS Image Example..170
• Inode lister: ils..173
• ils Audit: Hands-On..175
• ils Post Mortem: Hands-On..176

list inode information

ils dev_sda6.img |grep 2880

• icat..177

copies files by inode number

icat -r dev_sda6.img
icat -r dev_sda6.img 2880 > /images/unixforensics/lk.tgz

• Metadata Layer Review..180

• fls..182

takes inode of directory and displays filenames in directory.

fls dev_sda6.img
fls -l dev_sda6.img
fls dev_sda6.img 174593

• ffind..187
• Filename Layer Review..189

• Journal Layer..193
• jls..196
• jcat..198

like mac_robber, the folloing will create the timeline information

• Data File: fls -m [timeline information]..201

1. m tells the mount point to prepend the output with
2. r says recurse directories

fls -m / -r dev_sda6.img > /images/unixforensics/dev_sda6.fls or on live system

fls -m / -r /dev/sda6 | less

• Data File: ils -m [timeline information]..203

extracts data on deleted inodes yet without the missing filename infomation

ils -m dev_sda6.img > /images/unixforensics/dev_sda6.ils

• Data File Conclusion..205

integrate them with cat

cat dev_sda6.?ls > dev_sda6.mac

the question mark says any charater

• mactime Examples mactime -b..206

make the data human readable

mactime -b dev_sda6.mac > timeline_sda6.all
-d for comma deleniated

• Timeline reading ..207

• file..212
• sorter..213

uses file to categorize everything on the system including deleted files, put them in directories.

• Thumbnails Viewing..217
• Hash Databases..218
  • hfind: Overview..219

Indexes and searches the database

hfind -i md5sum linux_hash.txt
hfind linux_hash.txt <md5 hash>
    * sorter and hashes..220

hash all files

md5deep -r / > /mnt/LinuxFC3.txt

Use database to exclude known good files with sorter:

sorter -d sorter_dir -x LinuxFC3.txt hda1.dd

• Adding a Host..226
• Adding an Image..228
• Begining the Analysis..232
• Live Autopsy Analysis..263
• Autopsy Step-By-Step..268