Investigating Windows systems with Linux

The Sleuth Kit

The Sleuth Kit [6] is one of the leading forensic tools. You'll find The Sleuth Kit packages in the standard Debian repository, and you can use Aptitude to install it. The Sleuth Kit mainly contains three tools that extend the functionality of ls; the names help explain the functions:

  • fls lists files at file system level,
  • ils lists files on the basis of inodes,
  • dls restores deleted files.

In addition to these files are a couple of close relatives of the standard Unix tools cat (icat) and find (ifind), and statistics tools such as istat. The Sleuth Kit starts by creating a list of all files with timestamp information (Listing 5). If you want a neatly grouped view with a time-line of the events, you can run mactime -b /tmp/body. To tell the tool to look for keywords in the deleted files on an NTFS partition:

# dls /dev/loop0 > unallocated
# cat unallocated | strings | egrep -i --color -f keywords.txt

The dls command converts the unallocated space into a file, which cat then pipes to strings and egrep.

Listing 5

File Timestamps

 

File Slack

File slack [7] refers to data in the unused space on a filesystem. This effect occurs when you save, for example, a 2KB file on a filesystem with 4KB blocks. All popular Windows systems just pad the unused space with random data from RAM to fill up the blocks.

Tools such as dls from The Sleuth Kit, or bmap [8], let an investigator recreate data that the user sometimes didn't even knowingly store on their disk. Some investigators have used this approach to reconstruct incriminating emails.

dls with the -s option is particularly useful for this purpose:

# dls -s /dev/loop0 > fileslack
# cat fileslack | strings | egrep -i U--color -f keywords.txt

This gives the forensics expert the ability to search the file slack for keywords. According to a study [9], modern Linux filesystems are not affected by this problem; they pad the unused bytes with harmless zeros courtesy of /dev/zero.

Restore Deleted Files

ntfsundelete, from the ntfsprogs package, gives any Linux admin the ability to restore deleted files on NTFS partitions. Before you run ntfsundelete, you first need to release the /dev/loop0 device, typically by issuing a umount /mnt. Without specifying any additional options, ntfsundelete /dev/loop0 just outputs a list of all undeletable files (Figure 3). The example in Figure 3 undeletes the msiinst.exe file on inode 11137.

Files existing on the hard disk could provide much user information. Both Microsoft's Internet Explorer and Firefox store their history on the filesystem. The investigator needs to install two programs to analyze the information:

  • Pasco [10] for Internet Explorer
  • Mork.pl [11] for Mozilla Firefox

Listing 6 shows a typical analysis sequence: Internet Explorer stores information for each profile in files titled index.dat. Running a find command against the file gives the investigator a list of the pages accessed in the browser.

Listing 6

Browser History

 

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • OCFA

    Automate the forensics process with the Dutch police department's Open Computer Forensics Architecture.

  • BackTrack and Sleuth Kit

    Once you determine a system has been attacked, boot to the BackTrack Live forensics distro and start your investigation with Sleuth Kit.

  • Caine

    Caine is a Linux distribution based on Ubuntu 10.04 for forensic scientists and security-conscious administrators. Poised to do battle against IT ne’er-do-wells, Caine has a comprehensive selection of software, a user-friendly GUI, and responsive support.

  • Guymager: Forensic Backup

    If malware has taken root on a system, you need a way to safeguard the evidence. Guymager helps you create verified disk images.

  • Memory Analysis

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News