Intro
My last post involved mostly the installation and imaging process one would first need to get out of the way before using either TSK or Autopsy. In this post, I will introduce the concepts of hard drive storage and file system data structures, then begin showing a few TSK tools. Since it's mostly looked down upon to be a tool monkey and only know how to manage a forensic tool, without actually knowing the details of the actual evidence itself, i find it necessary to talk more than just about the tools. I understand this causes the title of these posts to be somewhat misleading, but I will eventually focus directly on the tools after i get all the relating information out of the way. I'm not used to blogging, and i'm coming to realize the importance of beforehand planning.
Formatting Hard Drives
Before a filesystem can be even put onto a hard drive, the drive needs to go through a process called low level formatting. This is a process that marks out the cylinders and tracks and then divides those tracks into multiple sectors. These marks on the surfaces of the platters are then the addressable blocks that exist before MBR partitioning or GPT partitioning are applied.
A sector is a unit of bytes (512 bytes to be exact), that acts as a container for holding your data, and a cluster is a container for sectors. Sectors are assigned an address that make locating a sector via the bios or drive controller even possible. There are two addressing schemes used; the original method is the cylinder/head/sector (CHS) addressing scheme, and the more modern logical block addressing scheme (LBA). MBR used to have an 8 gb drive limitation with CHS, but then started employing LBA, to obtain the 2 tb limit. But don't focus too much on MBR, because GPT is used more so anyways, but we'll get more into theses addressing methods later on. So clusters are made up of a collection of sectors, and cluster sizes, depending on the operating system you're using, range in sizes from 512 bytes to 64 kb's. 64 kb's is equal to 64000 bytes, which can contain 125 sectors. Inside these sectors and clusters, is where your files are contained. The magnetic material on the surface of these drives are positioned in a particular physical state to represent either on or off. These ones and zeros are what are used to make up all your files, folders and executables on your hard drive.
Sectors are sequential, but clusters can be non-contiguous. A file that has multiple clusters, can have its cluster scattered all over a drive, and their locations are retained with the power of FAT or MFT in rtfs. We'll get into those details a couple blog posts from now :^).
Then after the low level formatting of a drive, then comes the partitioning of the drive. Examples of these partitioning mechanisms include the MBR (Master Boot Record) partitioning scheme, (which you'll see with older older more smaller drives. Then there is the more modern partitioning scheme called GPT (GUID Partition Table), which is a partitioning method designed to work with larger storage devices). Here are two invaluable images depicting both from microsoft.com:
 |
| tech net.microsoft.com |
 |
| technet.microsoft.com |
The MBR is located at the first physical sector of a hard drive, and contains the boot code, four partition table entries, and a signature value. The MBR is the only place that holds the partition information. In the beginning part of the MBR is the "boot sector", or boot code. This part of the MBR is looked at by the BIOS, to see which partition on your hard drive, contains your primary operating system to boot up with. The rest of the MBR contains 4 entries, and these entries are like little book marks that contain information about the possible four partitions that you may have on your hard drive. I say "may" because you could design you hard drive to only have one partition with one operating system inside of it, which is what most people end up doing. I'll get into what a partitions and volumes are later on. For now, back to these four entries. These entries, (each being 16 bytes long), keep a record of the first and starting sectors of each partition on your drive. These are indicators that are provided when the hard rive says, "hey how many and where are your partitions located." MBR partitions have a size limitation of up to 2 TB's of storage, meaning your drive can only go up to size of about 2 TB's for each of the 4 primary partitions on the drive.
Down below in figure 2.2, is a carved out sector of my MBR. The imaged copy that i am using as my dd image which is a 298GB NTFS drive, is an MBR partitioned drive, not a GPT partition drive. (It's old i guess). You can find out on your windows system by typing DISKPART in your cmd, the type LIST DISK in your new cmd window. If you see under Gpt an empty space below it, that means you don't have one. You can also see that here in figure 2.1b
Figure 2.1b
Figure 2.2
 |
| My MBR carved with dd and the xxd tool; dd if= ntfscopy.img.001 bs=512 skip=0 count=1 | xxd |
The yellow is 446 bytes of the boot code. The Green is my first partition entry, followed by the locations of the slots for the rest of the possible partition "entries", (remember you can have up to four possible partitions), and as you can see, i have two partitions on my drive. Also remember, this is MBR is before my GPT partition table, because this is an image of an up to date NTFS drive, that is partitioned with GPT. The number 80 in the beginning of the green table is where the flag indicator tell be where to boot from, 80 boot flag, means this is your bootable partition. The 07 you can see in the green bar is an indicator for an NTFS partition. The last two bytes 55 AA, are the boot record signature. All this is in Carriers FSFA book. I'm sorry for the brevity, but i must move on.
GPT supports up to 128 partitions on a drive, so there is not 4 partition limitation, nor is there the need for an extended partition like there is in MBR. In MBR, the location where the partition sizes are stored are only 4 byte long indicators (32 bits), located in the MBR partition headers. This is what causes the drive limitation of 2 TB's. GPT uses 64 bits for storing logical block addresses in the GPT header, allowing them to have many more sectors on a drive, up to 9 petabytes i think. These directory entries, (like in MBR), exist inside the partition table. Directory entries gives a description of each of the partitions on disk. At LBA0 is ab MBR partition, which is used for backward compatibility reasons, and then there is a GPT header at LBA1, which gives a general layout of the disk volume itself, and contains pointers to where certain information is located on the drive. At the end of the drive is a backup partition that contains a backup of the header and partition entries.
Figure 2.3
 |
| wikipedia.org |
Partitions & Volumes
What is a Partition is? What is a Volume?.
What are Active primary partitions, primary partitions, logical partitions, extended partitions? :^)
Active Primary Partition:
Primary Partitions:
Logical Partitions:
Extended Partitions:
When someone says "volume", (also called a logical drive), they are referring to any accessible storage areas with a hard drive. If your entire drive is just one large partition that encompasses the entire physical drive, well than that whole area of storage is also considered a volume. When you take a drive and start partitioning it, each partition IS also considered a volume. The reason why the two general aren't identical is because a partition is a data structure that is designed to house an entire operating system. While this partition is ALSO a volume, inside this partition, multiple VOLUMES segment into multiple specific storage facilities.
You could design your drive to have one partition, while inside this partition, you have a volume to hold the OS data, and another volume to hold user data. Or, you could install more than one file system on a drive, one OS for each partition. Primary partitions are what hold your bootable OS, and extended partitions are used for things like storing a VM, since a VM file system can be a dynamic virtual file system. I know that was confusing. Sorry, gotta move on.
So you can have one partition, and two hard drives. When you combine the three, by creating a partition that spans two drives, this is considered a logical partition. A good way to remind yourself of how a volume or logical volume exists, just think of how RAID works.
You'll also see the abstraction of logical and physical not just with hard drives, but you'll also see this abstraction in memory storage with page files. This is when your physical memory is just too small, so it creates a page file storage space on your hard drive, so now the CPU thinks it's looking at a memory card that is larger than it actually is.
Figure 2.4
 |
| (Brian Carrier, File system forensic analysis.) |
Now when you're working with Windows, under disk utility you'll see some drive letters. Usually there are three drive letters by default on a windows hard drive, and these drive letters are also the partitions that you have inside your drive. For example, drive letters like C: is usually your primary drive, and if you have any extended partitions in your drive they will be labeled from D: to Z:. So if you created a new partition on your drive, it will be assigned the next available letter between D to Z.
Lets get to it
Navigate to your image
My image is a dd copy of an NTFS hard drive. Size is 298gb. I'm working in a VM of Ubuntu where my TSK tools are located. The dd image is contained on my external hard drive, so in or to run my tools against it, i need to change my directory with cd /media to the directory where my image is located. When you want to know the path to a files location before using this command, all you have to do is drag and drop the file into the terminal and voila. Terminal will tell you. (As long as the external hard drive where your image is located, is mounted in your VM).
The location of my image is: /media/digitalresidue/My Passport/1NTFS image/ntfscopy.img.001.
The location of my image is: /media/digitalresidue/My Passport/1NTFS image/ntfscopy.img.001.
My Passport - is the name of my ext drive
1NTFS image - is the name of my folder
ntfscopy.img.oo1 - is the name of my dd image
1NTFS image - is the name of my folder
ntfscopy.img.oo1 - is the name of my dd image
I want to be in the parent directory where my image is located. The parent directory is 1NTFS image, and to get there i type: cd /media/digitalresidue/My\ Passport/1NTFS\ image.
Notice that i had to enter a backslash "\" in between the words that had a space. I'm not sure the reasoning, but if you're trying to navigate to a directory, if there are words that have a space, you need to insert a backlash there.
Now run a dir and you will see where my .img is located.
Notice that i had to enter a backslash "\" in between the words that had a space. I'm not sure the reasoning, but if you're trying to navigate to a directory, if there are words that have a space, you need to insert a backlash there.
Now run a dir and you will see where my .img is located.
Figure 2.5
Here's a simple sudo fdisk -l, a native command that is comparable to TSK's mmls:
Figure 2.6
The asterisk * next to ntfscopy.img001p1 is where your partition of "focus" starts, at sector 2048. The reason why your partition table starts at 2048, is because the drive itself was partitioned this way, with something like older method of partitioning with something like fdisk will start you at 2048, and this is the default starting sector location where your ACTIVE partition begins. Normally you will see your partition start at sector 63, but in this example, it simply isn't the case
1) The BIOS loads a bootstrap program that loads the MBR (located at physical sector 0), into memory.
2) The MBR then looks to the partition table to see which partition on disk is the primary active partition to boot into, (which will be at sector 0 of the volume boot sector of said partition).
3) Your MBR loads you into that active partition.
4) You are now located in a GUI of where your Operating System is located.
In figure 2.6 you'll see ntfscopy.img.001p1 partition starts at sector 2048 and ends at 206847. In Windows 7 filesystem, this p1 partition is your System Reserved, which technically is also your "Active Primary Partition", which includes your systems boot loader, along with other configuration files, and has your system jump to the bootable partition, which in this case, is ntfscopy.img.001p2. This partition is your "Primary Partition", that contains your formatted NTFS partitioned filesystem. Before sector 2048 is empty space, and also where your MBR and boot code is located.
***As a cautionary side note to the material I am presenting, there may be many places where i am saying incorrect things, so please just leave corrections in the comments section below :). After the p1 active primary partition, there is the partition 2 'p2', that you can see what they represent, at the top of this blog post under "corrections".
Here is a list including some of the main commands in TSK without their associated switches. Some of these commands listed here are not included in Carriers book FSFA, so we won't really touch on what isn't discussed in his book:
Figure 2.7
 |
| wiki.sleuthkit.org |
Each one of these commands is assigned to a layer of abstraction. TSK simplifies their identification by giving them a prefix that are initialed for each layer.
Each tool name has two parts, where the first part identifies its group and the second part identifies its function. For example, fls is a file name category tool (the f) that lists (the ls), and the istat tool is in the metadata category (the i) that displays statistics (the stat). (Carrier, 2005. p.g 377).
- mm - tools that operate at the media management layer.
- mmls
- fs - tools that operate on the file system layer.
- fsstat
- blk - tools that operate at the "block" or data unit layer.
- dcat
- dls
- stat
- dcalc
- i - tools that work at the anode layer. Also known as the metadata layer.
- icat
- ifind
- ils
- stat
- f - file name layer.
- ffind
- fls
There is a list of other tools that come bundled with TSK. It's hard for me to figure out a better way to organize these tools, plus, these are the main tools we will be focusing on anyways.
Forensic layers of abstraction and their respective tools:
1) At the lowest level there is the Disk layer. Also known as the physical layer. We acquire our images at the disk level with something like dd. A potential place of interest for an analyst would be the HPA or DCO slack spaces of a drive. Something like diskstat can analyze for potential HPA hiding, but since i used FTK to image my drive, i can't show an example output of this. FTK imager allows you to use the dd tool as an imaging option, and unfortunately this method of imaging will not include the HPA of your drive if one does exist. In order to image the HPA area of a hard drive with FTK or dd, you will need to reformat and reset the maximum addressable sectors the hard drive. I think there are some tools that allow you to image HPA without reformatting; such X-ways replica.
A native command in linux will tell you if you even have an HPA area, hdparm -N, against your image.
2) The next layer is the Volume layer. This is an area of abstraction that exists between the physical drive itself, and the filesystem layer. mmstat ran against your image will tell you what partition type you're working with, in my case, it's a dos based disk.
mmls is one of the first go to tools an investigator turns to when running TSK. This command carves out your partitions, regardless of where they are located on disk, and gives you the starting and ending sector details. Here will be my command: mmls -t dos tfscopy.img.001. (-t is a switch that is followed by which partitioned drive you have, in my case, is dos.)
Figure 2.8
As you can see in the blue circles, are rows of information that tells you where your partitions are located, their size, their beginning and ending sectors, and their offsets. My image has A primary partition, from slot 00 to 01, which is the primary table #0, our MBR. Then from there we have unallocated space until our next partition, which is our NTFS partition. Our NTFS partition offset starts at 2048, then the volume ends at 206847, then another volume begins at 206848. 2048 to 206847 is our reserved partition in NTFS, and is home to many boot files. The second volume is simply our file system data volume :^).
