File-System-Analysis-Using-Autopsy

File System Analysis Using Autopsy

File System Analysis Using Autopsy is a digital forensics platform and graphical interface to The Sleuth Kite and other digital forensics tools. Law enforcement, military, and corporate examiners use it to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.

Autopsy is an end-to-end platform with modules that come with it out of the box and others that are available from third-parties. Some of the modules provide:

  • Timeline Analysis – Advanced graphical event viewing interface (video tutorial included),
  • Hash Filtering – Flag known bad files and ignore known good.
  • Keyword Search – Indexed keyword search to find files that mention relevant terms.
  • Web Artifacts – Extract history, bookmarks, cookies from Firefox, Chrome, and IE.
  • Data Carving – Recover deleted files from unallocated space using PhotoRec.
  • Multimedia – Extract EXIF from pictures and watch videos.
  • Indicators of Compromise – Scan a computer using STIX.

File System Analysis Using The Sleuth Kit (TSK)

The Sleuth Kite (TSK) is a library and collection of command line tools that allow you to investigate disk images. The core functionality of TSK allows you to analyze volume and file system data. The plug-in framework allows you to incorporate additional modules to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

  • Volume and File System Analysis
  • Plug-in Framework
  • Download
  • Documents
  • History
  • Licenses

Related Product : Computer Hacking Forensic Investigator | CHFI

1.The Sleuth Kit (TSK): fsstat

fsstat – Display general details of a file system

Syntax

fsstat. [-f fstype J [-i imgtype] [-o _imgoffset]   [-b dev_sectir_size] [-tvV] image [images]

Description

fsstat displays the details associated with a file system. The output of this command is file system specific. At a minimum, the range of meta-data values (inode numbers) and content units (blocks or clusters) are given. Also given are details from the Super Block, such as mount times and features. For file systems using groups (FFS and EXT2FS), the tool lists the layout of each group.

For a FAT file system, the FAT table is in a condensed format. Note that the data is in sectors and not in clusters.

Arguments

  • t: type Print the file system type only.
  • f: fstype Specify the file system type. Use -f list’ to list the supported file system types. If not given, autodetection methods are used.
  • i: imgtype Identify the type of image file, such as raw. Use’-i list’ to list the supported types. If not given, autodetection methods are used.
  • o imgoffset: The sector offset where the file system starts in the image.
  • b dev_sector_size: The size, in bytes, of the underlying device sectors. If not given, the value in the image format is used (if it exists) or 512-bytes is assumed.
  • v: output of debugging statements to stderr
  • v: Display version In the above image, the investigator uses fsstat command line tool from the Sleuth Kit to view details of an NTFS image named image.E01.

Also Read : Overview of File System Analysis

2.The Sleuth Kit (TSK): istat (1 of 4)

istat – Display details of a meta-data structure (i.e. inode)

Syntax

istat [-B num ] [-f fstype ] [-1 imgtype] [-o imgoffset] [-b dev_sector_size] [-vV] [-z zone ] [-s seconds ] image [images] inode                     

Description

istat displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.

The options are as follows:

  • B num: Display the addresses of num disk units. Useful when the inode is unallocated with size 0 but still has block pointers.
  • f fstype: Specify the file system type. Use ‘-f list’ to list the supported file system types. If not given, autodetection methods are used.
  • s seconds: The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100.
  • i imgtype : Identify the type of image file, such as raw. Use’-i list’ to list the supported If not given, autodetection methods are used.
  • o imgoffset: The sector offset where the file system starts in the image.
  • b dev_sector_size: The size, in bytes, of the underlying device sectors. If not given, the value in the image format is used (if it exists) or 512-bytes is assumed.
  • v: Verbose output of debugging statements to stderr
  • V: Display version
  • z zone: An ASCII string of the original system’s time zone. For example, EST5EDT or GMT. These strings are defined by the operating system and may vary. NOTE: This has changed since TCTUTILs.
  • image [images]: The disk or partition image to read, whose format is given with ‘-I’. Multiple image file names can be given if the image is split into multiple segments. If only one image file is given and its name is the first in a sequence (e.g., as indicated by ending in ‘.001’), subsequent image segments will be included automatically.
  • Inode Meta-data number to display
Segment
Number
File Name Purpose
0 $MFT Describes all files on the volume, including file names, timestamps, stream names, and lists of cluster numbers where data streams reside, indexes, security identifiers, and file attributes like “read only”,”compressed”, “encrypted”, etc.
1 $MFTMirr Duplicate of the first vital entries of $MFT, usually

4 entries (4 Kilobytes).

2 $LogFile Contains transaction log of file system rnetadata changes
3 Volume Contains information about the volume, namely the volume object identifier, volume label, file system version, and volume flags
4 $AttrDef A table of MET attributes that associates numeric

identifiers with names.

 

5 . Root directory. Directory data is stored in $INDEX_ROOT and $INDEX_ALLOCATION attributes both named $130.

 

 

6 $Bitmap

 

An array of bit entries: each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation)
7 $Boot Volume boot record. This file is always located at the first clusters on the volume. It contains bootstrap code (see NTLDR/BOOTMGR) and a BIOS parameter block including a volume serial number and cluster numbers of $MFT
8 $BadClus  A file that contains all the clusters marked as having bad sectors. This file simplifies cluster management by the chkdsk utility, both as a place to put newly discovered bad sectors, and for identifying unreferenced clusters. This file contains two data streams, even on volumes with no bad sectors: an unnamed stream contains bad sectors—it is zero length for perfect volumes; the second stream is named $Bad and contains all clusters on the volume not in the first stream.
9 $Secure Access control lists database that reduces overhead having many identical ACLs stored with each file, by uniquely storing these ACLs in this database only
10 $UpCase A table of unicode uppercase characters for ensuring case-insensitivity in Win32 and DOS namespaces.

3.The Sleuth Kit (TSK): fls and img_stat

fls: fls-List file and directory names in a disk image.

Syntax

fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] [- b dev_sector_size] image [images] [ inode ]

Description

fls lists the files and directory names within the image and may display file names of recently deleted files for the directory using the given mode. if the mode argument isn’t given, the inode value for the basis directory is employed . for instance , on an NTFS file system it might be 5 and on an Ext3 file system it might be 2.

Arguments

  • a: Display the “.” and ..” directory entries (by default it does not)
  • d: Display deleted entries only
  • D: Display directory entries only
  • f fstype: Displays the sort of file system. Use ‘4 fist’ to list the supported file system types, given, auto detection methods are used.
  • F: Display file (all non-directory) entries only.
  • I: Display file details in long format. the following contents are displayed: file_type inode file_name mod_time acc_time chg_time cre_time size uid gid
  • m mnt: Display files in machine format in order that a timeline are often gid created with mactime(1). The string given as rent will be prepended to the file names because the mounting point (for example /usr).
  • p: Display the complete path for every entry. By default, it denotes the directory depth on recursive runs with a ‘+’ sign.
  • r: Recursively display directories. this may not follow deleted directories, because it can’t.
  • s seconds:  The time skew of the first system in seconds. for instance , if the first system was 100 seconds slow, this value would be -100. this is often only used if -I or are given.
  • i imgtype:  Identify the sort of image filet like raw. Use list’ to list the supported types. If not given, auto detection methods are used.
  • o imgoffset: The sector offset where the file system starts within the image.
  • b dev_sector_size: The size, in bytes, of the underlying device sectors. If not given, the worth within the image format is employed (if it exists) or 512-bytes is assumed.
  • u: Display undeleted entries only
  • v: Verbose output to stderr.
  • V: Display version.
  • z zone: The ASCII string of the zone of the first system. for instance , EST or GMT. These strings must be defined by your OS and should vary.
  • img_stat: img_stat- Display details of a picture file

Syntax

img_stat [-i imgtype] [-b dev_sector_size] [-tvV] image [images]

Description

img_stat displays the small print related to a picture file. The output of this command is image format specific. At a minimum, the size are going to be given and the byte range of every file will be given for split image formats.

Arguments

  • i imgtype: Identify the type of image file, like raw. Use’-i list’ to list the supported types. If not given, autodetection methods are used.
  • b dev_sector_size: The size, in bytes, of the underlying device sectors. If not given, the worth within the image format is employed (if it exists) or 512-bytes is assumed.
  • t: Print the image type only.
  • v: output of debugging statements to stderr
  • V: Display version

Questions related to this topic

  1. What are the different file systems?
  2. What is a file signature and why is it important in computer forensics?
  3. What are the different steps in the file system forensics process?
  4. What is a file system on a computer?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment

Your email address will not be published. Required fields are marked *