To continue talking about analyzing file systems with the Sleuth Kit we need to see some of the other commands that you may need. fsstat provides us with basic information for the file system itself and also shows the system files. It shows the Volume Serial Number. This number is a generated during the creation of the volume. It is useful if you need to determine if the volume of a USB thumb drive or external device has ever been connected to a system.
$ fsstat -o63 nps-2008-jean.E01
FILE SYSTEM INFORMATION
File System Type: NTFS
Volume Serial Number: 7E745008744FC21F
OEM Name: NTFS
Version: Windows XP
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 1309293
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 32848
Root Directory: 5
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 2618586
Total Sector Range: 0 - 20948695
$AttrDef Attribute Values:
$STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident
$ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident
$FILE_NAME (48) Size: 68-578 Flags: Resident,Index
$OBJECT_ID (64) Size: 0-256 Flags: Resident
$SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident
$VOLUME_NAME (96) Size: 2-256 Flags: Resident
$VOLUME_INFORMATION (112) Size: 12-12 Flags: Resident
$DATA (128) Size: No Limit Flags:
$INDEX_ROOT (144) Size: No Limit Flags: Resident
$INDEX_ALLOCATION (160) Size: No Limit Flags: Non-resident
$BITMAP (176) Size: No Limit Flags: Non-resident
$REPARSE_POINT (192) Size: 0-16384 Flags: Non-resident
$EA_INFORMATION (208) Size: 8-8 Flags: Resident
$EA (224) Size: 0-65536 Flags:
$LOGGED_UTILITY_STREAM (256) Size: 0-65536 Flags: Non-resident
Windows stores the serial numbers of volumes that have been connected to system in the past. In Windows systems you can locate previously connected volume serial numbers for USB devices in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\. Sector size may be important when you are dealing with less common file systems or extremely large volumes.
Another great tool is the fiwalk tool. This tool stands for File Inode Walk and prints out information about the file system and each inode contained in it. It's important to note that if you use this tool against a large volume (larger than our 10GB file system) it will take quite some time. Even the small volume we are running this against takes some time (approx. 3.5 minutes). Below I piped the output of this command to the Linux tee command. The tee command allows the information to be displayed in the terminal but also be written to a file. In this case I created a file called fiwalkoutput.data. This can be reviewed with any text editor but we will work with this file at another time.
$ fiwalk nps-2008-jean.E01 | tee fiwalkoutput.data
Below is another way to do the same thing except you wouldn't see anything in the terminal.
$ fiwalk nps-2008-jean.E01 > fiwalkoutput.data
I am only listing one piece of the output of the fiwalk command to show you what it can do.
filename: Documents and Settings/Jean/Local Settings/Temporary Internet Files/Content.IE5/20S83G5U/repoffline.gif
So we can see the output here gives us some good information. Filename (and path), inode number, filesize in bytes, if the file is allocated or deleted, MD5 and SHA1 hash values, dates, times and parent inode number. These can all be used to help analyze the file in further detail with other commands. If you save the output like I did your system won't have hash each file in the volume next time you need to locate some information. The saved file can be searched later if you are looking for specific hash values or inode numbers.
More importantly, fiwalk has options that will display exif data from images or other metadata that is valuable depending on the type of investigation you are doing. To learn more about metadata, fiwalk, and other information you may want to look at this document.
That's enough for tonight. Leave a comment.