Advanced Digital ForensicsOutlineThis page gives an outline on how we can use digital forensics to analyse disk systems. The demonstration shows the usage of SleuthKit for both Microsoft Windows and Linux. PresentationThe following provides an overview presentation with live demo. The SleuthKit download is [here] Lab [Here] Tests
Tools and others |
MBR Format
0000 FA 33 C0 8E D0 BC 00 7C 8B F4 50 07 50 1F FB FC .3.....|..P.P... 0010 BF 00 06 B9 00 01 F2 A5 EA 1D 06 00 00 BE BE 07 ................ 0020 B3 04 80 3C 80 74 0E 80 3C 00 75 1C 83 C6 10 FE ...<.t..<.u..... 0030 CB 75 EF CD 18 8B 14 8B 4C 02 8B EE 83 C6 10 FE .u......L....... 0040 CB 74 1A 80 3C 00 74 F4 BE 8B 06 AC 3C 00 74 0B .t..<.t.....<.t. 0050 56 BB 07 00 B4 0E CD 10 5E EB F0 EB FE BF 05 00 V.......^....... 0060 BB 00 7C B8 01 02 57 CD 13 5F 73 0C 33 C0 CD 13 ..|...W.._s.3... 0070 4F 75 ED BE A3 06 EB D3 BE C2 06 BF FE 7D 81 3D Ou...........}.= 0080 55 AA 75 C7 8B F5 EA 00 7C 00 00 49 6E 76 61 6C U.u.....|..Inval 0090 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 id partition tab 00A0 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 le.Error loading 00B0 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 operating syste 00C0 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74 m.Missing operat 00D0 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00 ing system...... 00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ 01C0 14 00 04 03 60 DA 33 00 00 00 4D ED 00 00 00 00 ....`.3...M..... 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U. 0 1 2 3 4 5 6 7 8 9 A B C D E F
Color code: Green - MBR executable code, Blue - Error message, Red - Partitition Table, Yellow - Magic number
Sample analysis
With this analysis, we have images on a 32MB SD card shot in a Canon PowerShot SD800IS:
C:\sleuthkit-4.1.2-win32\bin> mmls -t dos nps-2009-canon2-gen1.raw DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000000050 0000000051 Unallocated 02: 00:00 0000000051 0000060799 0000060749 DOS FAT16 (0x04) C:\sleuthkit-4.1.2-win32\bin>ils -o 51 -f fat16 -i raw nps-2009-canon2-gen1.raw class|host|device|start_time ils|unknown||1389713021 st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_crtime|st_mode|st_nlink|st_size 1029|f|0|0|1230041558|1229990400|0|1230041558|777|1|855935 1030|f|0|0|1230041566|1229990400|0|1230041566|777|1|871587 1031|f|0|0|1230041572|1229990400|0|1230041572|777|1|840101 1032|f|0|0|1230041576|1229990400|0|1230041576|777|1|859050 1033|f|0|0|1230041582|1229990400|0|1230041582|777|1|836531 1034|f|0|0|1230041588|1229990400|0|1230041588|777|1|777709 1035|f|0|0|1230041592|1229990400|0|1230041592|777|1|865313 1036|f|0|0|1230041596|1229990400|0|1230041596|777|1|745065 1037|f|0|0|1230041602|1229990400|0|1230041602|777|1|840692 1038|f|0|0|1230041606|1229990400|0|1230041606|777|1|853643 1039|f|0|0|1230041610|1229990400|0|1230041610|777|1|771052 1040|f|0|0|1230041616|1229990400|0|1230041616|777|1|815821 1041|f|0|0|1230041620|1229990400|0|1230041620|777|1|842160 1042|f|0|0|1230041624|1229990400|0|1230041624|777|1|873437 1043|f|0|0|1230041632|1229990400|0|1230041632|777|1|821758 1044|f|0|0|1230041636|1229990400|0|1230041636|777|1|853839 1045|f|0|0|1230041640|1229990400|0|1230041640|777|1|795574 1046|f|0|0|1230041646|1229990400|0|1230041646|777|1|784455 1047|f|0|0|1230041650|1229990400|0|1230041650|777|1|864257 1048|f|0|0|1230041656|1229990400|0|1230041656|777|1|883127 1049|f|0|0|1230041660|1229990400|0|1230041660|777|1|819599 1050|f|0|0|1230041666|1229990400|0|1230041666|777|1|728696 1051|f|0|0|1230041670|1229990400|0|1230041670|777|1|858798 1052|f|0|0|1230041676|1229990400|0|1230041676|777|1|838434 1053|f|0|0|1230041680|1229990400|0|1230041680|777|1|791333 1054|f|0|0|1230041686|1229990400|0|1230041686|777|1|768385 1055|f|0|0|1230041690|1229990400|0|1230041690|777|1|840253 1056|f|0|0|1230041694|1229990400|0|1230041694|777|1|815636 1057|f|0|0|1230041698|1229990400|0|1230041698|777|1|861552 1058|f|0|0|1230041702|1229990400|0|1230041702|777|1|867833 1059|f|0|0|1230041708|1229990400|0|1230041708|777|1|749202 1060|f|0|0|1230041714|1229990400|0|1230041714|777|1|879834 1061|f|0|0|1230041718|1229990400|0|1230041718|777|1|845375 1062|f|0|0|1230041722|1229990400|0|1230041722|777|1|812465 1063|f|0|0|1230041728|1229990400|0|1230041728|777|1|820105 1064|f|0|0|1230041736|1229990400|0|1230041736|777|1|882337 C:\sleuthkit-4.1.2-win32\bin>fls -o 51 -f fat16 -i raw -r nps-2009-canon2-gen1.raw r/r 3: CANON_DC (Volume Label Entry) d/d 4: DCIM + d/d 517: 100CANON ++ r/r * 1029: IMG_0001.JPG ++ r/r * 1030: IMG_0002.JPG ++ r/r * 1031: IMG_0003.JPG ++ r/r * 1032: IMG_0004.JPG ++ r/r * 1033: IMG_0005.JPG ++ r/r * 1034: IMG_0006.JPG ++ r/r * 1035: IMG_0007.JPG ++ r/r * 1036: IMG_0008.JPG ++ r/r * 1037: IMG_0009.JPG ++ r/r * 1038: IMG_0010.JPG ++ r/r * 1039: IMG_0011.JPG ++ r/r * 1040: IMG_0012.JPG ++ r/r * 1041: IMG_0013.JPG ++ r/r * 1042: IMG_0014.JPG ++ r/r * 1043: IMG_0015.JPG ++ r/r * 1044: IMG_0016.JPG ++ r/r * 1045: IMG_0017.JPG ++ r/r * 1046: IMG_0018.JPG ++ r/r * 1047: IMG_0019.JPG ++ r/r * 1048: IMG_0020.JPG ++ r/r * 1049: IMG_0021.JPG ++ r/r * 1050: IMG_0022.JPG ++ r/r * 1051: IMG_0023.JPG ++ r/r * 1052: IMG_0024.JPG ++ r/r * 1053: IMG_0025.JPG ++ r/r * 1054: IMG_0026.JPG ++ r/r * 1055: IMG_0027.JPG ++ r/r * 1056: IMG_0028.JPG ++ r/r * 1057: IMG_0029.JPG ++ r/r * 1058: IMG_0030.JPG ++ r/r * 1059: IMG_0031.JPG ++ r/r * 1060: IMG_0032.JPG ++ r/r * 1061: IMG_0033.JPG ++ r/r * 1062: IMG_0034.JPG ++ r/r * 1063: IMG_0035.JPG ++ r/r * 1064: IMG_0036.JPG v/v 971779: $MBR v/v 971780: $FAT1 v/v 971781: $FAT2 d/d 971782: $OrphanFiles C:\sleuthkit-4.1.2-win32\bin> fls -o 51 -f fat16 -i raw -m / -r nps-2009-canon2-gen1.raw > bodyfile.txt C:\sleuthkit-4.1.2-win32\bin> perl mactime.pl -b bodyfile.txt -d > macout.csv C:\sleuthkit-4.1.2-win32\bin> icat -o 51 nps-2009-canon2-gen1.raw 1029 > img_0001.jpg
The corpora is here. The output file from this is here and the image file is here
Example 2
With this analysis, we have images on a 32MB SD card shot in a Canon PowerShot SD800IS:
C:\sleuthkit-4.1.2-win32\bin> ils -o 97 -f fat16 -i raw nps-2013-canon1.raw class|host|device|start_time ils|unknown||1389713673 st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_crtime|st_mode|st_nlink|st_size 1029|f|0|0|1370184152|1370127600|0|1370184152|777|0|3541836 C:\sleuthkit-4.1.2-win32\bin> fls -o 97 -f fat16 -i raw nps-2013-canon1.raw r/r 3: CANON_DC (Volume Label Entry) d/d 4: DCIM v/v 4011523: $MBR v/v 4011524: $FAT1 v/v 4011525: $FAT2 d/d 4011526: $OrphanFiles C:\sleuthkit-4.1.2-win32\bin> fls -o 97 -f fat16 -i raw -r nps-2013-canon1.raw r/r 3: CANON_DC (Volume Label Entry) d/d 4: DCIM + d/d 517: 111___06 ++ r/r * 1029: _MG_0125.JPG ++ r/r 1030: IMG_0126.JPG + d/d 518: CANONMSC ++ r/r 183301: M0111.CTG v/v 4011523: $MBR v/v 4011524: $FAT1 v/v 4011525: $FAT2 d/d 4011526: $OrphanFiles C:\sleuthkit-4.1.2-win32\bin> fls -o 97 -f fat16 -i raw -m / -r nps-2013-canon1.raw > bodyfile.txt C:\sleuthkit-4.1.2-win32\bin> perl mactime.pl -b bodyfile.txt -d > macout.csv C:\sleuthkit-4.1.2-win32\bin> icat -o 97 nps-2013-canon1.raw 1030 > 1.jpg
The corpora is here. The output file from this is here and the image file is here