BEDFORDSHIRE UNIVERSITY

-4826027749500

BEDFORDSHIRE UNIVERSITY

Faculty of Creative Arts and Computing

Department of Computer Science & Technology

Unit CIS019-2

Incidence Response

Forensics Practical Exercise - Basics

Group Name __________

Student ID_________ Student Name ___________________

Student ID_________ Student Name ___________________

Student ID_________ Student Name ___________________

Student ID_________ Student Name ___________________

Student ID_________ Student Name ___________________

Laboratory Notes

Note: Before starting the practical make sure that you have USB stick. Then it is required to create dummy files inside the USB stick and delete the files before starting the practical.

Disk Analysis with fdisk, mmls, fsstat, fls and Sleuth kit Worksheet

This paper presents various automated tools to extract detailed information. The tools are fdisk, mmls, fsstat and fls. The Sleuth kit tool is used to recover files.

If you use a different Linux version such as Fedora, first install the Sleuth Kit (TSK) command line tools. You can search for TSK using YUM! in Fedora. This type of investigation creates an image of the Hard Disk Drive (HDD).

Lab Session 1.1

Recognize hdd in terminal

Root@kali :# ls /dev/hd*

Which error message show on your terminal

Type this command: Root@kali :# ls /dev/sd*

Then you can see all the connected drives in your system (Figure:1.1)

Storage devices (and partitions) are located within the /dev directory in Linux. Naming takes place based on the following logic:

/dev/hda; is the first (master) PATA/IDE hard drive

/dev/hdb; is the second (slave) PATA/IDE hard drive

/dev/hda1; is partition 1 of the first (master) PATA/IDE hard drive

/dev/sda; is the first (master) SATA/SCSI hard drive

/dev/sdb; is the second (slave) SATA/SCSI hard drive

/dev/sda3; is partition 3 of the first (master) SATA/SCSI hard drive

6667549276000

Figure 1.1: Connected HDDs

1.2 FdiskIt can be applied to locate partitions and reveal information such as their start and end sectors/CHS values, number of blocks, sector size, disk identifier, total disk sectors and identify the file systems in place. (See Figure: 1.2)

root@kali :~# fdisk lu5715037338000

Figure 1.2: Fdisk-luIn fdisk -lu /dev/sda:-l option - list the partion tables for the specified device

-u - give sizes in sectors instead of cylinders

1.3 Sleuth Kit

The Sleuth Kit (TSK) is available at http://www.sleuthkit.org/. It is a free UNIX package of command line file system and media management forensic tools. It consists in source code format. It is also compiled on UNIX or Linux system of choice. Sleuth Kit comes as a collection of over 20 command line tools that can be used to analyze disk and file system images for evidence. It is required to use the Autopsy Forensic Browser for making the analysis easier. Autopsy is a front end to the TSK tools. It also provides a point-and-click type of interface.

First, check your kali machine to confirm that Sleluth kit is available or not. Type below command in your terminal.

root@kali:~# mmls V

059626500(Figure 1.3)

Figure 1.3: mmls Checking V Sleuth Kit Version

1.4 mmlsThe mmls tool can be used to display the partition layout of a volume system. However, mmls can be different by showing which sectors are not being used. It is used to search for hidden data. Additionally, mmls display info in sectors by default and if no options are used to filter the result then all volumes will be listed.

Figure 1.4 shows how to compare against fdisk and it also demonstrates the results gathered via both commands. The first two lines in mmls, numbered 00 and 01. They are the MBR and the unused space between the main partition table (MBR) and first partition.

mmls can directly be used on disk images rather than a connected hard disk drive. As an instance, assuming that DiskIMG.dd is an image of a HDD created with the dd command. mmls DiskIMG.dd would provide information about the disk as if it was connected live.

Figure 1.4: mmls command 0254000

1.5 fsstatfsstat tool is applied to display more detail about the layout of a particular file system. As an example, to analyse /dev/sdb1 which is a FAT file system where have Back Track booting from, when checking Linux machine hard disk details.

root@kali :~#fsstat /dev/sda1 | less (Figure 1.5.1)

Figure 1.5.1: fsstat on Linux machine 16002023812500

| less was added to display the results page by page. fsstat helped to study the total range of a file system, reserved area, boot sector, backup boot sector, FAT0, FAT1, data area, cluster area, root directory and etc. in the following figure.

Check your external drive details:

Root@kali :~# fsstat /dev/sdb1 (Figure 1.5.2)

-209554953000Figure 1.5.2: Details of fsstat external drive

2.0 Steps of recovering deleted file using Sleuth Kit

Seeing available partitions

Use the mmls command on the image to check what file systems were in the image. There are three in total, with the 02 being the partition. It shows the starting sector of 131, and that it is a FAT16 partition table. (Figure 1.4)

Further, start to dig into the partition to see what have to work with. The command fsstat o 131 /dev/sdb is the 131 that is telling it where the starting sector is. It gives the statistic of the partition that can be helpful in further analysis

root@kali :~# fsstat o 131 /dev/sdb (Figure 2.1)

Figure 2.1: fsstat o 131 starting sector 7620033528000

Viewing the file system

The fls -o 131 /dev/sdb helps to view the file structure of the portion and see what files are there. It will also show the files that have been deleted as well. d/d is a directory, r/r is a file, and the numbers after them are their inodes. (Figure 2.2)

Figure 2.2: fls command with file view and showing deleted files

Finding the file which is going to recover

The targeted file which needs to recover that was a deleted image at the beginning. Check at the statistics of the image file using Icat command.

Note: Following Figure 2.3 shows * mark for deleted files

Figure 2.3: * deleted files 0254000

Recovery the deleted files using Sleuth Kit

Attempt to recover the deleted file using the command icat -o 131 -r /dev/sdb 44 . 8064 again is the starting sector, the -r is the recovery flag. Then the image name in question, followed by the inode of the file, upon completion. Then it can verify the file that is in place by issuing the ls command.

Figure 2.4: Recovering deleted file and showing in terminal

Extract deleted file and view. Then, type below command in your terminal .root@kali:~# icat o 131 r /dev/sdb 44 > recover

(Figure 2.5)

0444500Figure 2.5: Extract deleted file and save

Use ls command after recovering it and check it availability on your folder .Then apply cat command and view it (Figure 2.6)

Figure 2.6: Extracted deleted files and reading via cat command

This tool can apply for analyzing any disk image or recovering any file. This tool is an open source tool and it mainly supports for DD image. But, install additional packages from git hub for analyzing E01 or other type forensics image.

Questions:

Which types of images are supported with this tool?

Is this tool can be applied for law enforcement incident?

What are the other open source tools that can be used for recovering data?