The Sleuth Kit

The Sleuth Kit [6] is one of the leading forensic tools. You'll find The Sleuth Kit packages in the standard Debian repository, and you can use Aptitude to install it. The Sleuth Kit mainly contains three tools that extend the functionality of ls; the names help explain the functions:

• fls lists files at file system level,
• ils lists files on the basis of inodes,
• dls restores deleted files.

In addition to these files are a couple of close relatives of the standard Unix tools cat (icat) and find (ifind), and statistics tools such as istat. The Sleuth Kit starts by creating a list of all files with timestamp information (Listing 5). If you want a neatly grouped view with a time-line of the events, you can run mactime -b /tmp/body. To tell the tool to look for keywords in the deleted files on an NTFS partition:

# dls /dev/loop0 > unallocated
# cat unallocated | strings | egrep -i --color -f keywords.txt

The dls command converts the unallocated space into a file, which cat then pipes to strings and egrep.

01 01 # fls -o 63 -m "C:" -r win_hd.dd > /tmp/body
02 02 # mactime -d -b /tmp/body
03 03 Thu Jun 19 2003 13:05:04,16656,m..,-/-rwxrwxrwx,0,0,315-128-3,C:/WINNT/system32/cdmodem.dll
04 05 Thu Jun 19 2003 13:05:04,11792,m..,-/-rwxrwxrwx,0,0,11267-128-3,C:/WINNT/ServicePackFiles/i386/partmgr.sys
05 07 Thu Jun 19 2003 13:05:04,7440,m..,-/-rwxrwxrwx,0,0,8093-128-3,C:/WINNT/ServicePackFiles/i386/
06    bhp.dll
07 09 Thu Jun 19 2003 13:05:04,1011764,m..,-/-rwxrwxrwx,0,0,7102-128-3,C:/WINNT/system32/mfc42u.dll
08 11 Thu Jun 19 2003 13:05:04,65593,m..,-/-rwxrwxrwx,0,0,6552-128-3,C:/Programme/Outlook Express/
09    csapi3t1.dll
10 13 Thu Jun 19 2003 13:05:04,122640,m..,-/-rwxrwxrwx,0,0,858-128-3,C:/WINNT/system32/idq.dll
11 14 Thu Jun 19 2003 13:05:04,166672,m..,-/-rwxrwxrwx,0,0,7178-128-3,C:/WINNT/system32/qcap.dll
12 15 Thu Jun 19 2003 13:05:04,65593,m..,-/-rwxrwxrwx,0,0,11555-128-3,C:/WINNT/Sersystem32/i386/csapi3t1.dll

File Slack

File slack [7] refers to data in the unused space on a filesystem. This effect occurs when you save, for example, a 2KB file on a filesystem with 4KB blocks. All popular Windows systems just pad the unused space with random data from RAM to fill up the blocks.

Tools such as dls from The Sleuth Kit, or bmap [8], let an investigator recreate data that the user sometimes didn't even knowingly store on their disk. Some investigators have used this approach to reconstruct incriminating emails.

dls with the -s option is particularly useful for this purpose:

# dls -s /dev/loop0 > fileslack
# cat fileslack | strings | egrep -i U--color -f keywords.txt

This gives the forensics expert the ability to search the file slack for keywords. According to a study [9], modern Linux filesystems are not affected by this problem; they pad the unused bytes with harmless zeros courtesy of /dev/zero.

Restore Deleted Files

ntfsundelete, from the ntfsprogs package, gives any Linux admin the ability to restore deleted files on NTFS partitions. Before you run ntfsundelete, you first need to release the /dev/loop0 device, typically by issuing a umount /mnt. Without specifying any additional options, ntfsundelete /dev/loop0 just outputs a list of all undeletable files (Figure 3). The example in Figure 3 undeletes the msiinst.exe file on inode 11137.

Figure 3: Ntfsundelete shows deleted files that can be undeleted. The first column contains the inode number required to restore the file on the filesystem in the image file.

Files existing on the hard disk could provide much user information. Both Microsoft's Internet Explorer and Firefox store their history on the filesystem. The investigator needs to install two programs to analyze the information:

• Pasco [10] for Internet Explorer
• Mork.pl [11] for Mozilla Firefox

Listing 6 shows a typical analysis sequence: Internet Explorer stores information for each profile in files titled index.dat. Running a find command against the file gives the investigator a list of the pages accessed in the browser.

01 # mount -o ro,noatime,noexec /dev/loop0 /mnt
02 # find /mnt -iname "index.dat" -exec pasco '{}' ';'
03 TYPE    URL     MODIFIED TIME   ACCESS TIME     FILENAME        DIRECTORY       HTTP  HEADERS
04 URL     http://www.google.de/favicon.ico        06/07/2006 21:35:34     12/02/2007
05 12:14:28     favicon[1].ico  NG0RCTFI        HTTP/1.1 200 OK  Content-Type: image/x-icon
06 Content-Length: 1406    ~U:administrator
07 REDR    http://msn.ivwbox.de/cgi-bin/ivw/CP/MSN01000000;?r=
08         12/02/2007 12:11:32     12/02/2007 12:11:32
09 URL     Visited: Administrator@http://www.google.de     12/02/2007 12:14:28
10 URL     Visited: Administrator@http://www.msn.de        12/02/2007 14:33:54     12/02/2007
11 14:33:54
12 # find /mnt -iname "history.dat" -exec mork.pl '{}' ';'
13 1202727704      1       http://www.linux4afrika.de/index.php?id=155&L=1
14 1202727670      1       http://www.linux4afrika.de/index.php?id=154&L=1
15 1202727641      1       http://www.linux4afrika.de/index.php?id=60&L=1
16 1202727641      2       http://www.linux4afrika.de/
17 1202727555      1       http://n-tv.de/916916.html
18 1202726960      1       http://n-tv.de/916917.html
19 1202726892      1       http://n-tv.de/916908.html
20 1202726827      3       http://n-tv.de/
21 1202726394      2       http://www.linux-magazine.com/
22 1202726204      2       http://www.google.de/
23 # find /mnt -iname "history.dat" -exec mork.pl '{}' ';' | awk '{print strftime("%F,%R",$1),$2,$3}'
24 2008-02-11 11:40 1 http://www.linux-magazin.com/heft_abo/ausgaben/2008/03/zwerg_am_druecker
25 2008-02-11 11:39 2 http://www.linux-magazine.com/
26 2008-02-11 11:36 2 http://www.google.com/
27 (...)