Open Source Freely redistributable Provides access to source code End user may modify source code
Benefits of Open Source tools Education Portability Move from one OS to another, computer to another, job to job, and so on. Flexibility You can choose how to use your tools. Install on local or temote systems. Price free
Preparing the examination system Build - Take the source code and convert to useable form. If the tool works on a interpreted language such as Perl, Python or Ruby, install it. Image Files – are forensic copies of the media. –Raw image files (bit by bit copy of the media) and forensic containers (special file format specifically for forensics) are two forms of image files.
How to make an Operating system image mkifs utility – may be bootable or non- bootable. mkefs utility – can create flash file system.
Working with images To use a raw image file use losetup command to create a “loop device” associated with a disk image. –A loop device is a virtual device that allows a disk image to be treat as if it were an actual disk. –You need to give appropriate offset sector for this command. If you do not know it, you can first run the mml s command. losetup [ -e encryption ] [ -o offset ] loop_device file -d will detach the device.
Working with Forensic containers The two forensic container formats are EWF (Expert Witness Format - encase) and AFF (advanced forensic format - open source).
Windows as a host We can create a unix like environment under windows using Cygwin.dll. Through Cygwin we can compile and use linux source codes. Windows does not have losetup. But we can use ImDisk which has much of the same functionality.
Disk and File System Analysis Identification: determine which active and deleted files are available in a volume. Extraction: Retrieval of relevant file data and metadata. Analysis
Concepts –Disk – Physical device –Volume – Collection of one or more partitions. Created by using part of a disk, or whole disk or multiple disks. –File System – layout of files on a volume. –Data unit – smallest available unit of data storage, such as blocks (multiple sectors). –Metadata (inodes in unix) –File name – consists of folder and file names.
Sleuth Kit Sleuth Kit (TSK) developed by Brian Carrier is an updated version of Coroner’s toolkit (TCT). –Supports raw disk images and other image formats such as libEWF and AFFlib. “mm-”: tools that operate on volumes (media management) “fs-” tools that operate on file system structures. “blk-” operate on data unit or block layer. “i-”: operate on the metadata or inode. “f-”: operate on file name layer “img-” operate on image
Volume Layer tools mmstat – type of volume system in use. Will display non allocated space before, after and between volumes.
File System Layer Tools fsstat displays file system information such as: File system type, volume name, volume ID, last written date, last mounted date, checked date, etc.
Data Unit layer tools blkstat command displays information about specific data unit. It can be used to extract all unallocated space of the file system.
Metadata layer tools istat command displays information about a specific metadata structure: ownership, time information, block allocation, etc.)
File Name Layer tools fls lists file names (deleted and allocated).
Image file tools img_stat will display information about the image. img_cat will display content of an image.
Carving Foremost is a file carving program that extracts meaningful file content from unstructured streams of data. You can provide specific words to search. –Deleted files – recoverable –Orphaned files - link between file name and meta data is no longer accurate. –Unallocated- unlinked or reused metadata structure. –Overwritten. Only fragments can be obtained. –Slack space.
DD Create a copy, image. dd inputfile and outputfile dcfldd and dc3dd are specifically designed copy for forensics.