Waraxe IT Security Portal
Login or Register
November 15, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 87
Members: 0
Total: 87
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Tools -> Sleuth Kit open source forensic toolkit
Post new topicReply to topic View previous topic :: View next topic
Sleuth Kit open source forensic toolkit
PostPosted: Wed Apr 13, 2005 2:13 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




Code:
The Sleuth Kit is an open source forensic toolkit for analyzing
Microsoft and UNIX file systems and disks. The Sleuth Kit enables
investigators to identify and recover evidence from images acquired
during incident response or from live systems. The Sleuth Kit is
open source, which allows investigators to verify the actions of
the tool or customize it to specific needs.

The Sleuth Kit uses code from the file system analysis tools of
The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The
TCT code was modified for platform independence. In addition,
support was added for the NTFS (see docs/ntfs.README) and FAT (see
docs/fat.README) file systems. Previously, The Sleuth Kit was
called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independant
of any commercial or academic organizations.

It is recommended that these command line tools can be used with
the Autopsy Forensic Browser. Autopsy, (http://www.sleuthkit.org/autopsy),
is a graphical interface to the tools of The Sleuth Kit and automates
many of the procedures and provides features such as image searching
and MD5 image integrity checks.

As with any investigation tool, any results found with The Sleuth
Kit should be be recreated with a second tool to verify the data.



OVERVIEW
=============================================================================
The Sleuth Kit allows one to analyze a disk or file system image
created by 'dd', or a similar application that creates a raw image.
These tools are low-level and each performs a single task. When
used together, they can perform a full analysis. For a more detailed
description of these tools, refer to docs/filesystem.README. The
tools are briefly described in a file system layered approach. Each
tool name begins with a letter that is assigned to the layer.


File System Layer:
A disk contains one or more partitions (or slices). Each of these
partitions contain a file system. Examples of file systems include
the Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS),
File Allocation Table (FAT), and New Technologies File System (NTFS).

The fsstat tool displays file system details in an ASCII format.
Examples of data in this display include volume name, last mounting
time, and the details about each "group" in UNIX file systems.


Content Layer (data):
The content layer of a file system contains the actual file content,
or data. Data is stored in large chunks, with names such as blocks,
fragments, and clusters. All tools in this layer begin with the letter
'd'.

The dcat tool can be used to display the contents of a specific unit of
the file system (similar to what 'dd' can do with a few arguments).
The unit size is file system dependent. The 'dls' tool displays the
contents of all unallocated units of a file system, resulting in a
stream of bytes of deleted content. The output can be searched for
deleted file content. The 'dcalc' program allows one to identify the
unit location in the original image of a unit in the 'dls' generated
image.

A new feature of The Sleuth Kit from TCT is the '-l' argument to
'dls' (or 'unrm' in TCT). This argument lists the details for data
units, similar to the 'ils' command. The 'dstat' tool displays
the statistics of a specific data unit (including allocation status
and group number).


Metadata Layer (inode):
The metadata layer describes a file or directory. This layer contains
descriptive data such as dates and size as well as the addresses of the
data units. This layer describes the file in terms that the computer
can process efficiently. The structures that the data is stored in
have names such as inode and directory entry. All tools in this layer
begin with an 'i'.

The 'ils' program lists some values of the metadata structures.
By default, it will only list the unallocated ones. The 'istat'
displays metadata information in an ASCII format about a specific
structure. New to The Sleuth Kit is that 'istat' will display the
destination of symbolic links. The 'icat' function displays the
contents of the data units allocated to the metadata structure
(similar to the UNIX cat(1) command). The 'ifind' tool will identify
which metadata structure has allocated a given content unit or
file name.

Refer to the ntfs.README doc for information on addressing metadata
attributes in NTFS.


Human Interface Layer (file):
The human interface layer allows one to interact with files in a
manner that is more convenient than directly with the metadata
layer. In some operating systems there are separate structures for
the metadata and human interface layers while others combine them.
All tools in this layer begin with the letter 'f'.

The 'fls' program lists file and directory names. This tool will
display the names of deleted files as well. The 'ffind' program will
identify the name of the file that has allocated a given metadata
structure. With some file systems, deleted files will be identified.


Code:
Time Line Generation
-----------------------------------------------------------------------------
Time lines are useful to quickly get a picture of file activity.
Using The Sleuth Kit a time line of file MAC times can be easily
made. The mactime (TCT) program takes as input the 'body' file
that was generated by fls and ils. To get data on allocated and
unallocated file names, use 'fls -rm dir' and for unallocated inodes
use 'ils -m'. Note that the behavior of these tools are different
than in TCT. For more information, refer to docs/mac.README.


Hash Databases
-----------------------------------------------------------------------------
Hash databases are used to quickly identify if a file is known. The
MD5 or SHA-1 hash of a file is taken and a database is used to identify
if it has been seen before. This allows identification to occur even
if a file has been renamed.

The Sleuth Kit includes the 'md5' and 'sha1' tools to generate
hashes of files and other data.

Also included is the 'hfind' tool. The 'hfind' tool allows one to create
an index of a hash database and perform quick lookups using a binary
search algorithm. The 'hfind' tool can perform lookups on the NIST
National Software Reference Library (NSRL) (www.nsrl.nist.gov) and
files created from the 'md5' or 'md5sum' command. Refer to the
docs/hfind.README file for more details.


File Type Categories
-----------------------------------------------------------------------------
Different types of files typically have different internal structure.
The 'file' command comes with most versions of UNIX and a copy is
also distributed with The Sleuth Kit. This is used to identify
the type of file or other data regardless of its name and extension.
It can even be used on a given data unit to help identify what file
used that unit for storage. Note that the 'file' command typically
uses data in the first bytes of a file so it may not be able to
identify a file type based on the middle blocks or clusters.

The 'sorter' program in The Sleuth Kit will use other Sleuth Kit
tools to sort the files in a file system image into categories.
The categories are based on rule sets in configuration files. The
'sorter' tool will also use hash databases to flag known bad files
and ignore known good files. Refer to the 'docs/sorter.README'
file for more details.


Webpage http://www.sleuthkit.org/
Complete info direct link Smile http://www.sleuthkit.org/sleuthkit/desc.php
View user's profile Send private message Visit poster's website
PostPosted: Wed Apr 13, 2005 4:18 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Nice toolkit for pentesters and forensic experts Cool
View user's profile Send private message Send e-mail Visit poster's website
Sleuth Kit open source forensic toolkit
www.waraxe.us Forum Index -> Tools
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds