Forensics with BackTrack and Sleuth Kit
Using Sleuth Kit and Autopsy
Sleuth Kit is a handy collection of open source forensics tools. Some of the tools in Sleuth Kit include mmstat, which displays information about partition tables, and jls, which lists the contents of a file system journal.
The typical procedure for a Sleuth Kit investigation is:
- With fls, create a list of critical file and directory names within the image.
- With ils, create a list of inode information.
- With mactime, create a timeline (file activity, access, deletion, etc.).
- With icat, extract interesting (and deleted) files from inodes.
An example of the initial steps is:
fls -f ext -m / /evidence/ddriveimage.dd > output-data ils -f ext -m /evidence/ddriveimage.d >> data-output mactime -b data-output 01/01/2008-12/31/2008 > activity-report-2008
If an attacker altered access times, you'll want to specify a large data range to ensure you get all the data. After you run this, you should end up with output similar to Listing 1, in which you can see a user named Kurt accessed an account via SSH.
01 Mon Jun 02 2008 01:16:45 24 ..c -/-rw-r--r- kurt kurt 58498 /home/kurt/.bash_logout 02 176 ..c -/-rw-r--r- kurt kurt 58499 /home/kurt/.bash_profile 03 124 ..c -/-rw-r--r-- kurt kurt 58500 /home/kurt/.bashrc
Extracting Files with Icat
Icat is a relatively simple utility that finds an inode in an image file and copies the data out to a file. The icat utility includes several useful options. The -s option copies the slack space, which might contain interesting or hidden information, and -r recovers deleted files. For example:
icat -s -f ext driveimage.dd 58499
This command will show you the contents of /home/kurt/.bash_profile (Listing 2).
01 # .bash_profile 02 03 # Get the aliases and functions 04 if [ -f ~/.bashrc ]; then 05 . ~/.bashrc 06 fi 07 08 # User specific environment and startup programs 09 10 PATH=$PATH:$HOME/bin 11 12 export PATH 13 14 autopsy - a web interface to Sleuth Kit
Although the learning curve for Sleuth Kit isn't very steep, you can easily make a mistake that could cost you a great deal of time and effort. The Autopsy forensics browser, which is available through the Sleuth Kit website  automates the process and slaps on a web interface. Autopsy also provides some additional features, such as tracking cases, handling notes and events, and supporting multiple users. By default, autopsy only allows localhost (127.0.0.1) to connect to the web server.
To allow a remote IP address, you need to use the -c option; however, it is important to remember that Autopsy doesn't provide any encryption, so if you don't access it locally, you either need to connect via a trusted network or use something like OpenSSH to create a secure tunnel.
Buy this article as PDF
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.
Klaus Knopper announces the latest version of his iconic Live Linux system.
All websites that use these popular CMS tools could be vulnerable to denial of service attacks if users don't install the updates.
According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.
DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.
Should you trust an online service to store your online passwords?
New B+ board lets you build cool things without the complication of a powered USB hub.
Redmond rushes in to root out alleged malware haven.
New initiative will bring futuristic virtual reality effects to the web surfing experience.