Forensics with BackTrack and Sleuth Kit

Using Sleuth Kit and Autopsy

Sleuth Kit is a handy collection of open source forensics tools. Some of the tools in Sleuth Kit include mmstat, which displays information about partition tables, and jls, which lists the contents of a file system journal.

The typical procedure for a Sleuth Kit investigation is:

  1. With fls, create a list of critical file and directory names within the image.
  2. With ils, create a list of inode information.
  3. With mactime, create a timeline (file activity, access, deletion, etc.).
  4. With icat, extract interesting (and deleted) files from inodes.

An example of the initial steps is:

fls -f ext -m / /evidence/ddriveimage.dd > output-data
ils -f ext -m /evidence/ddriveimage.d >> data-output
mactime -b data-output 01/01/2008-12/31/2008 > activity-report-2008

If an attacker altered access times, you'll want to specify a large data range to ensure you get all the data. After you run this, you should end up with output similar to Listing 1, in which you can see a user named Kurt accessed an account via SSH.

Listing 1

Tracking Access

01 Mon Jun 02 2008 01:16:45 24 ..c  -/-rw-r--r-  kurt kurt 58498 /home/kurt/.bash_logout
02                          176 ..c -/-rw-r--r-  kurt kurt 58499 /home/kurt/.bash_profile
03                          124 ..c -/-rw-r--r-- kurt kurt 58500 /home/kurt/.bashrc

Extracting Files with Icat

Icat is a relatively simple utility that finds an inode in an image file and copies the data out to a file. The icat utility includes several useful options. The -s option copies the slack space, which might contain interesting or hidden information, and -r recovers deleted files. For example:

icat -s -f ext driveimage.dd 58499

This command will show you the contents of /home/kurt/.bash_profile (Listing 2).

Listing 2


01 # .bash_profile
03 # Get the aliases and functions
04 if [ -f ~/.bashrc ]; then
05         . ~/.bashrc
06 fi
08 # User specific environment and startup programs
12 export PATH
14 autopsy - a web interface to Sleuth Kit


Although the learning curve for Sleuth Kit isn't very steep, you can easily make a mistake that could cost you a great deal of time and effort. The Autopsy forensics browser, which is available through the Sleuth Kit website [2] automates the process and slaps on a web interface. Autopsy also provides some additional features, such as tracking cases, handling notes and events, and supporting multiple users. By default, autopsy only allows localhost ( to connect to the web server.

To allow a remote IP address, you need to use the -c option; however, it is important to remember that Autopsy doesn't provide any encryption, so if you don't access it locally, you either need to connect via a trusted network or use something like OpenSSH to create a secure tunnel.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • BackTrack

    The BackTrack live distribution lets you act like an intruder to test your network’s security.

  • Tracing Intruders Intro

    You don't need expensive proprietary tools to practice the craft of computer forensics.

  • On the DVD: BackTrack 5 R

    This issue’s DVD comes with the BackTrack 5 R1 [1][2][3] pen test distribution. BackTrack provides a great collection of pen testing and security auditing tools. You can boot into BackTrack Live from the DVD or install BackTrack permanently on your hard disk.

  • Caine

    Caine is a Linux distribution based on Ubuntu 10.04 for forensic scientists and security-conscious administrators. Poised to do battle against IT ne’er-do-wells, Caine has a comprehensive selection of software, a user-friendly GUI, and responsive support.

  • OCFA

    Automate the forensics process with the Dutch police department's Open Computer Forensics Architecture.

comments powered by Disqus

Direct Download

Read full article as PDF:

026-028_sleuthkit.pdf  (1.28 MB)