Forensics with BackTrack and Sleuth Kit

Using Sleuth Kit and Autopsy

Sleuth Kit is a handy collection of open source forensics tools. Some of the tools in Sleuth Kit include mmstat, which displays information about partition tables, and jls, which lists the contents of a file system journal.

The typical procedure for a Sleuth Kit investigation is:

  1. With fls, create a list of critical file and directory names within the image.
  2. With ils, create a list of inode information.
  3. With mactime, create a timeline (file activity, access, deletion, etc.).
  4. With icat, extract interesting (and deleted) files from inodes.

An example of the initial steps is:

fls -f ext -m / /evidence/ddriveimage.dd > output-data
ils -f ext -m /evidence/ddriveimage.d >> data-output
mactime -b data-output 01/01/2008-12/31/2008 > activity-report-2008

If an attacker altered access times, you'll want to specify a large data range to ensure you get all the data. After you run this, you should end up with output similar to Listing 1, in which you can see a user named Kurt accessed an account via SSH.

Listing 1

Tracking Access

01 Mon Jun 02 2008 01:16:45 24 ..c  -/-rw-r--r-  kurt kurt 58498 /home/kurt/.bash_logout
02                          176 ..c -/-rw-r--r-  kurt kurt 58499 /home/kurt/.bash_profile
03                          124 ..c -/-rw-r--r-- kurt kurt 58500 /home/kurt/.bashrc

Extracting Files with Icat

Icat is a relatively simple utility that finds an inode in an image file and copies the data out to a file. The icat utility includes several useful options. The -s option copies the slack space, which might contain interesting or hidden information, and -r recovers deleted files. For example:

icat -s -f ext driveimage.dd 58499

This command will show you the contents of /home/kurt/.bash_profile (Listing 2).

Listing 2


01 # .bash_profile
03 # Get the aliases and functions
04 if [ -f ~/.bashrc ]; then
05         . ~/.bashrc
06 fi
08 # User specific environment and startup programs
12 export PATH
14 autopsy - a web interface to Sleuth Kit


Although the learning curve for Sleuth Kit isn't very steep, you can easily make a mistake that could cost you a great deal of time and effort. The Autopsy forensics browser, which is available through the Sleuth Kit website [2] automates the process and slaps on a web interface. Autopsy also provides some additional features, such as tracking cases, handling notes and events, and supporting multiple users. By default, autopsy only allows localhost ( to connect to the web server.

To allow a remote IP address, you need to use the -c option; however, it is important to remember that Autopsy doesn't provide any encryption, so if you don't access it locally, you either need to connect via a trusted network or use something like OpenSSH to create a secure tunnel.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • BackTrack

    The BackTrack live distribution lets you act like an intruder to test your network’s security.

  • Tracing Intruders Intro

    You don't need expensive proprietary tools to practice the craft of computer forensics.

  • On the DVD: BackTrack 5 R

    This issue’s DVD comes with the BackTrack 5 R1 [1][2][3] pen test distribution. BackTrack provides a great collection of pen testing and security auditing tools. You can boot into BackTrack Live from the DVD or install BackTrack permanently on your hard disk.

  • November 2011: DVD Inlay
  • BackTrack 5 "revolution" Rolls Out

    BackTrack, an Ubuntu-based penetration-testing distribution, offers "major improvements" over previous releases, including support for 32- and 64-bit architectures, KDE 4, Gnome, and Fluxbox.

comments powered by Disqus

Direct Download

Read full article as PDF:

026-028_sleuthkit.pdf  (1.28 MB)


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia