Tuesday, April 22, 2014

File Systems Continued


To continue talking about analyzing file systems with the Sleuth Kit we need to see some of the other commands that you may need.  fsstat provides us with basic information for the file system itself and also shows the system files.  It shows the Volume Serial Number.  This number is a generated during the creation of the volume.  It is useful if you need to determine if the volume of a USB thumb drive or external device has ever been connected to a system.   

$ fsstat -o63 nps-2008-jean.E01
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 7E745008744FC21F
OEM Name: NTFS    
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 1309293
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 32848
Root Directory: 5

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 2618586
Total Sector Range: 0 - 20948695

$AttrDef Attribute Values:
$STANDARD_INFORMATION (16)   Size: 48-72   Flags: Resident
$ATTRIBUTE_LIST (32)   Size: No Limit   Flags: Non-resident
$FILE_NAME (48)   Size: 68-578   Flags: Resident,Index
$OBJECT_ID (64)   Size: 0-256   Flags: Resident
$SECURITY_DESCRIPTOR (80)   Size: No Limit   Flags: Non-resident
$VOLUME_NAME (96)   Size: 2-256   Flags: Resident
$VOLUME_INFORMATION (112)   Size: 12-12   Flags: Resident
$DATA (128)   Size: No Limit   Flags: 
$INDEX_ROOT (144)   Size: No Limit   Flags: Resident
$INDEX_ALLOCATION (160)   Size: No Limit   Flags: Non-resident
$BITMAP (176)   Size: No Limit   Flags: Non-resident
$REPARSE_POINT (192)   Size: 0-16384   Flags: Non-resident
$EA_INFORMATION (208)   Size: 8-8   Flags: Resident
$EA (224)   Size: 0-65536   Flags: 

$LOGGED_UTILITY_STREAM (256)   Size: 0-65536   Flags: Non-resident

Windows stores the serial numbers of volumes that have been connected to system in the past.  In Windows systems you can locate previously connected volume serial numbers for USB devices in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\.  Sector size may be important when you are dealing with less common file systems or extremely large volumes.

Another great tool is the fiwalk tool.  This tool stands for File Inode Walk and prints out information about the file system and each inode contained in it.  It's important to note that if you use this tool against a large volume (larger than our 10GB file system) it will take quite some time.  Even the small volume we are running this against takes some time (approx. 3.5 minutes).  Below I piped the output of this command to the Linux tee command.  The tee command allows the information to be displayed in the terminal but also be written to a file.  In this case I created a file called fiwalkoutput.data.  This can be reviewed with any text editor but we will work with this file at another time.

$ fiwalk nps-2008-jean.E01 | tee fiwalkoutput.data

Below is another way to do the same thing except you wouldn't see anything in the terminal.

$ fiwalk nps-2008-jean.E01 > fiwalkoutput.data

I am only listing one piece of the output of the fiwalk command to show you what it can do.

parent_inode: 16225
filename: Documents and Settings/Jean/Local Settings/Temporary Internet Files/Content.IE5/20S83G5U/repoffline[9].gif
partition: 1
id: 4988
name_type: r
filesize: 5669
alloc: 1
used: 1
inode: 32282
meta_type: 1
mode: 511
nlink: 2
uid: 0
gid: 0
mtime: 1216358363
mtime_txt: 2008-07-18T05:19:23Z
ctime: 1216358363
ctime_txt: 2008-07-18T05:19:23Z
atime: 1216358363
atime_txt: 2008-07-18T05:19:23Z
crtime: 1216358363
crtime_txt: 2008-07-18T05:19:23Z
seq: 4
md5: 447237bcc728c30e159370ec9f17e5eb
sha1: 6661fcd9cd495a6528a347d66b4371bf17af88ab

So we can see the output here gives us some good information.  Filename (and path), inode number, filesize in bytes, if the file is allocated or deleted, MD5 and SHA1 hash values, dates, times and parent inode number.  These can all be used to help analyze the file in further detail with other commands.  If you save the output like I did your system won't have hash each file in the volume next time you need to locate some information.  The saved file can be searched later if you are looking for specific hash values or inode numbers.

More importantly, fiwalk has options that will display exif data from images or other metadata that is valuable depending on the type of investigation you are doing.  To learn more about metadata, fiwalk, and other information you may want to look at this document.

That's enough for tonight.  Leave a comment.

No comments:

Post a Comment