Forensics with BackTrack and Sleuth Kit

Using Sleuth Kit and Autopsy

Sleuth Kit is a handy collection of open source forensics tools. Some of the tools in Sleuth Kit include mmstat, which displays information about partition tables, and jls, which lists the contents of a file system journal.

The typical procedure for a Sleuth Kit investigation is:

  1. With fls, create a list of critical file and directory names within the image.
  2. With ils, create a list of inode information.
  3. With mactime, create a timeline (file activity, access, deletion, etc.).
  4. With icat, extract interesting (and deleted) files from inodes.

An example of the initial steps is:

fls -f ext -m / /evidence/ddriveimage.dd > output-data
ils -f ext -m /evidence/ddriveimage.d >> data-output
mactime -b data-output 01/01/2008-12/31/2008 > activity-report-2008

If an attacker altered access times, you'll want to specify a large data range to ensure you get all the data. After you run this, you should end up with output similar to Listing 1, in which you can see a user named Kurt accessed an account via SSH.

Listing 1

Tracking Access


Extracting Files with Icat

Icat is a relatively simple utility that finds an inode in an image file and copies the data out to a file. The icat utility includes several useful options. The -s option copies the slack space, which might contain interesting or hidden information, and -r recovers deleted files. For example:

icat -s -f ext driveimage.dd 58499

This command will show you the contents of /home/kurt/.bash_profile (Listing 2).

Listing 2




Although the learning curve for Sleuth Kit isn't very steep, you can easily make a mistake that could cost you a great deal of time and effort. The Autopsy forensics browser, which is available through the Sleuth Kit website [2] automates the process and slaps on a web interface. Autopsy also provides some additional features, such as tracking cases, handling notes and events, and supporting multiple users. By default, autopsy only allows localhost ( to connect to the web server.

To allow a remote IP address, you need to use the -c option; however, it is important to remember that Autopsy doesn't provide any encryption, so if you don't access it locally, you either need to connect via a trusted network or use something like OpenSSH to create a secure tunnel.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • BackTrack

    The BackTrack live distribution lets you act like an intruder to test your network’s security.

  • Tracing Intruders Intro

    You don't need expensive proprietary tools to practice the craft of computer forensics.

  • On the DVD: BackTrack 5 R

    This issue’s DVD comes with the BackTrack 5 R1 [1][2][3] pen test distribution. BackTrack provides a great collection of pen testing and security auditing tools. You can boot into BackTrack Live from the DVD or install BackTrack permanently on your hard disk.

  • November 2011: DVD Inlay
  • BackTrack 5 "revolution" Rolls Out

    BackTrack, an Ubuntu-based penetration-testing distribution, offers "major improvements" over previous releases, including support for 32- and 64-bit architectures, KDE 4, Gnome, and Fluxbox.

comments powered by Disqus

Direct Download

Read full article as PDF:

026-028_sleuthkit.pdf  (1.28 MB)