/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsLast month we saw how you can investigate and re-claim a compromised Linux PC with the help of TCT, a Linux-based forensic toolkit (Sherlock in Linux, page 108). This time we will see another collection of tools, SleuthKit, which has been evolved from TCT’s source but has some new tools and features. Where TCT can work only on Linux partitions, SleuthKit can work on a variety of file systems. But, an important thing that is missing in SleuthKit is a tool like ‘grave-robber’ in TCT that can perform an automated, systematic and authentic analysis of the compromised system. So, you use both the toolkits together to get most out of the compromised machine.
To demonstrate how to use SleuthKit, we used an image of a 100 MB ext3 partition that will be used as the compromised machine’s partition image, and a Linux box on which we will perform the tests. To create the image of any partition we used the Linux dd command as shown below.
#dd if=/dev/hdxy of=dd.img
This command will create an image of the hard disk drive hdxy in a file called dd.img. Now, write protect the image file by running the following command.
# chmod 111 dd.img
This will make sure that the image file can’t get modified by any means. It is better to take an md5 checksum of the file to make it more secure.
|
/pcq/media/post_attachments/c6f19151ef729e8bf8c28cba463bb0ef069944891b6fb8e30d5165021be1e9f0.jpg)
Installing SleuthKit
Now, install SleuthKit on a machine with a fresh installation of PCQLinux 8.0. To do so first copy the software to your home directory from this month’s PCQEssential CD and run the following commands.
#cp sleuthkit-1.66.tar.gz ~
#cd
#tar —- zxvf sleuthkit-1.66.tar.gz
#cd sleuthkit-1.66
#make
|
/pcq/media/post_attachments/308489f59ce6f78f5ba515d0fe5572aeeb14e1cfaf528d1f4b29185cb0be2450.jpg)
This will compile the source and now you can get all the tools in ~/sleuthkit-1.66/bin directory. You can either copy this command file to your /bin directory so that it can be accessible from anywhere on your machine or run the commands from the actual path. We will assume that the ‘~/sleuthkit-1.66/bin’ directory in your path is accessible from everywhere.
Recover deleted text
We will first recover deleted text that has a known string ‘PCQuest’. Obviously we will search the text in the unallocated space of the image dd.img. For this we will use the tool dls. You can run the tool as shown below.
#dls -f linux-ext3 ~/dd.img > dls.out
This command will search the dd.img file as an ext3 file system and store all the content from the unallocated space to an output file called dls.out. The -f switch sets the file system of the image, so if you have a FAT 32 partition, use fat32 with the -f command. The command supports fat12, fat16, fat32, ntfs, netbsd, Solaris FFS, and bsd file systems.
Now as the dls.out file will contain text with lots of weird characters, the best practice is to first run the Linux command ‘strings’ on the file to store and sort only human readable text. To do so run the command as below.
#strings —t d dls.out > string.out
Now run the grep command on the output file to search for the known string ‘PCQuest’.
#grep ‘PCQuest’ string.out.
This command will show an output, something as this.
22919273: PCQuest
It means that the string is located at the byte 22919273. Now calculate the fragment size of the partition so that you can get the exact fragment where the string exists. To do so run the command as below.
#fsstat -f linux-ext3 ~/dd.img > fsstat.out
#grep “Fragment Size” fsstat.out
This will show you the fragment size of the partition. In our case it was 1024. Now divide 22919273 with 1024 and you will get the fragment address of the string, in this case it is 22382. Now we have to identify the fragment address of the string in the original image. For this run the SleuthKit command dcalc as below.
#dcalc -f linux-ext3 -a ~/dd.img 22382
The output of dcalc command will be the actual fragment address of the string in the partition image. In our case it was 33037. Now to show the full content associated with the fragment run the command dcat as:
#dcat —f linux-ext3 ~/dd.img 33037
This will show you the total content of the file.
The utility also allows you to search for any other pointer associated with the fragment. To search for it, run the command ‘ifind’ as below.
#ifind -f linux-ext3 -a dd.img 33073
This will show you any of the inode associated with the fragment. You can then run the ‘istat’ command to view the details of that
inode.
View deleted file names
The software also provides you with a tool with which you can find the name of all the deleted files and folders. This helps in getting the name of any deleted script that the hacker might have run on your machine. This feature is not available in TCT. You can run the command as:
#fls —f linux-ext3 -rd ~/dd.img
The output will not only show the list of deleted files but will also provide a lot of useful information, such as the file type (File or Directory) and the inode value. You can further run isat on the inode value to get information about the file, for example Uid, gid, access rights, numbers of links and accessed, modified and deleted dates.
In the accompanying screenshot you can see that the first command was fls, which is showing the inode values of two directories test.dir and test.dir1. The ‘*’ shows that the file is deleted.
In the next command ‘istat’ we are using the inode value of the folder test.dir (that is 8033) to get the information about the folder.
In our next issue, we will use AutoSPY to automate some of these tasks.
Anindya Roy