Introduction to Forensic Image Parsing with SleuthKit

calendar Mar 25, 2023 · 3 min read · Digital Forensics Tutorial  ·
Share on: linkedin copy

Overview

Disclaimer: This is not aimed at delivering the level of supporting computer science knowledge and self study is a requirement to obtain profficiency.

Scope

The tutorial is aimed at providing and introductory exposure to the underlaying file system of a NTFS drive and how to access elements manually and parse through these attributes.

Required Tooling

  • Sleuthkit

Competency

Level: Basic, Difficulty: Easy, Computer Science: NTFS Analysis

Competancy Areas:

  • Operating Systems - Knowledge of file system implementations (e.g. New Technology File System, File Allocation Table, File Extention etcetera)
  • Computer Forensics - Knowledge of types of digital forensics data and how to recognise them.
  • Computer Forensics - Skill in identifying and extracting data of forensic interest in diverse media.
  • Computer Forensics - Skill in using forensic tool suites

Learning Outcome

With practice this will allow the student to navigate through partition tables and Master File tables without the level of abstraction provided by GUI based tools. This will also allow students to see the level of information contained within the file sytstem and how this can be extracted and used during digital forensic investigiatons.

Subject

Sleuth kit tool allow interpretation and analysis of disk images permitting interaction with the files and directory structure.

The command line entries used in this tutorial are:

  • mmls - parses and displays disk/volume layout
  • fls - lists file names in a directory
  • fsstat - Displays file system details
  • istat - Displays information on a given data entry
  • icat - extracts contents of a file based on address

These allow direct interaction with the target file system and allow examination and extraction of artifacts. These can also be used to perform interogation of file system artifacts such as deleted items or file system journal entries.

Although there are graphical tooling available that performs the same tasks understanding of file systems is a key competancy when performing digital forensics or incident response based activities. Knowing how to navigate a filke system and identify and extract meta data and file system artifacts is often a fundemantal requirement of any case.

For this tutorial the fls is parsing the Master File Table and displaying files and directory information. The MFT is a relational database that contains allfiles saved to the file system known as file segment entries.

These records contain structured and unstrcutured data about the data they point to. These records are 1024 bytes in size with the first 6 bytes being the MFT record number and the following 2 bytes the sequence number. These can be identifed in HEX editor with the ASCII FILE0.

Each entry contains meta data about the entry and often points to the other blocks on disk that constitute the file.

We can then use istat to view information on the entry to see what we are looking at and what its possition is within the heiracy of files. Once we have located a file we can use istat to pull up its meta data and icat to view the contents of the file.

Video

Duration: 15mins

Further Reading Subjects:

  • Master File Table
  • NTFS File Systems