This post will be an overview involving some of the capabilities a user can except when using "The Sleuth Kit", a forensic library of C tools accessible through the CLI, and "Autopsy", the GUI version of TSK, all brought to you by a Mr. Brian Carrier. The approach Mr. Carrier takes in his book, "File system forensic analysis," is a layered approach that looks at a file system from a couple different perspectives. This abstraction simply helps an investigator to organize a computer system as a layered construction, and discussing the possible artifacts that can be obtained from each layer.
I've downloaded TSK into Ubuntu using commands (sudo apt-get install sleuthkit), and created my forensic images using the dd utility, which is a native command to the linux OS. TSK analyzes and supports raw data images from Encases .E01 and raw (dd) files disk images, generated with linux's dd command or FTK's imager. TSK and Autopsy are used for analyzing raw images, not creating them, so we're going to have to use dd to image a drives partition. Whereas something like dc3dd, which is a third party utility in Linux, also creates raw data files, but are not compatible with TSK. If you want to try out dc3dd, you will have to type sudo apt-get install dc3dd.
Commands like dd and dc3dd can be combined with switches like log=, skip=, hash=, but PRIMARILY, dd and dc3dd are used with the operands if= of= before using anything else. (if=<the device you want to image> of=<where you want the imaged data to end up>). This arrangement is very important. If you accidentally swap these to, you could mistakenly be over writing data where you wanted data to be copied from. This concern is more relative to when you are "cloning" a drive. Cloning is the process of copying a hard drives data and copying this information to another hard drive. While imaging involves the process of copying a hard drives data and saving it as copied image file. Both processes create an exact record of your drive or partition as (raw images). Raw images include allocated and unallocated files, swap spaces, host protected area HPA and device configuration overlay DCO, along with the other data structures that make up the filesystem. dd and dc3dd creates these raw images.
Here is how you would use dd; sudo dd if=<source> of=<target> bs=<byte size>
Source is the drive you want to image. Target is where you want the image copy to be sent to . And byte size option should be 512 bytes, if you leave bs= out of the equation, dd should assign blocks as 512 bytes by default.
You can pipe your results with the "|" command, b giving your dd results to a remotely connected machine using nectat, for example: sudo dd if=<source> of=<target> bs=<byte size> | netcat < targethost-IP > 1234.
But if you wanted to send your dd .img results to the local desktop you will use; dd if=/dev/sda of=/home/desktop/test.img bs=<byte size>.
So how do i find out the path names of my devices to fill in the if= of= operands? What is my target, and what is my source? For this information, all you'll need to do is just run sudo fdisk -l
So as you can see, i have a 64gb USB drive, and a 1 tb drive concede to my workstation. The red boxes signify the primary path to each device, its home directory so to speak, and in the green boxes are the primary partitions that exist for each drive.
dd is capable of imaging the entire drive, or if time is of the essence, image specific locations of the drive, or just a drives main partition. You will have more forensic value of a full disk image, but if you simply don't have the space or time, just image a single primary partition. To image a full drive to a target drive you include the root path name of the device. For example: my picture above shows that /dev/sdc is the root path location for the 64 gb USB drive, whereas /dev/sdc2 is where the primary partition table is located. So, as you can see above, the red boxes indicate the root path name of the devices file location, whereas in the green boxes are partitions inside that devices location. For this exercise i will be interested in imaging the full USB drive, since space and time is not a concern of mine, and imaging the boot sector offers more assisted evidence to our investigation.
So you would assume to image the entire USB drive and send it to my external hdd, all i would have to tap is: sudo dd if=/dev/sdc of=/dev/sdb1 bs=512. Well this isn't going to work, because in order to send files to an ex-hdd, you need to designate to the /media directory. /media is usually where and ext-hdd ends up, and there a thousand different ways in which to write commands and scripts that send files to an external hard drive, and since i'm not a Linux power user, i only know this one method. The second method i'm familiar with is creating a directory inside the ext-hdd with mkdir, and then specifying output to that directory, creating a "mount point". But we'll just stick with the first method.
You need to navigate your shell to a new directory. In other words, your terminal can move what neighborhood it is living in. By default, when you open the terminal, you're simply brought to the desktop of the current user that is logged in. But you can, you can pick up shop, move into a new directory that exists within your filesystem (like an ext-hdd), and then take control of where you're located.
You change your terminals directory with the cd command. So look up the path to your ext-hdd, (usually /media/user/nameofdrive).
So the entire command will be: cd /media/digitalresidue/UNTITLED
And this will redirect you to the inside of the ext-hdd. From there, you're going to command an image be done of your USB, and simple give a name to the imaged file, an not specify a destination, since you're already in the destination in which you want it to end up.
So my imaging command is now: sudo dd if=/dev/sdc of=./ddtest.img
And i just got a warning symbol (see below), because i just realized my ext-hdd is Read Only. I'll leave this part in, since it's helpful to discuss how to change a disks read/write settings.
Come to find out, the reason for my ext-hdd is in Read Only mode, is because it is an hfs+ journaled partitioned hard drive (since my macbook is the primary system it is connected to). "Ubuntu only has support for writing to non-journaled HFS+ volumes." One way around this is to repartition the drive to something else, um nope, then i'll lose all my data. So i'm kinda screwed here. I could install hfsprogs, but i really wanted this exercise to be a "native run", without third party installs. Oh well. Most people have a ton of tools installed on their workstations anyway. So sudo apt-get install hfsprogs :-/. After installed, make sure your drive is still mounted, which is should be, and start navigating back to your ext-hdd directory with the cd commands that we explained earlier, then presto, your imaging of a FAT USB drive with a pain in the butt HFS+ partitioned ext-hdd is under way:
As you can see, after pressing enter, there is no "progress" data, (infos that shows you the imaging taking place), so you're left to sit and wait, not know how much has been completed nor know when the download will be completed. You do however get this information with dc3dd and prog=.
With my image complete, it is a file that can now be referenced with my TSK commands. This seems like a good place to stop part 1, and my apologies for there not being much to do with working with TSK just yet. Unfortunately i wanted to give a step by step guide, starting from the ground up, and beginning with what one would expect to create in order to even use the TSK toolkit. So in part two, i will get down to the wondrous magic, a forensicator can accomplish with TSK.
This comment has been removed by the author.
ReplyDeleteNice to read your article! I am looking forward to sharing your adventures and experiences. dewa poker
ReplyDelete