Sleuth Kit commands for computer forensics
Below is a list of various Sleuth Kit commands used in computer forensics. The majority of these commands are executed against an image file, which in many cases would be a forensic image of a device (e.g. floppy disk, USB key, memory card, hard drive, etc.). Although there are various commercial and open source tools used for creating forensic images, on Linux you can use the native "dd" command to do so. At its simplest level, the command to acquire an image of device /dev/sda (which could be a USB key, or a SATA or SCSI hard drive) would be dd if=/dev/sda of=usb_key_image_file
The following commands were done on the Linux version of The Sleuth Kit, and are listed in the general order in which the commands would be used in analyzing an image. For illustrative purposes, assume that the following commands are being done on an image file of a 1 GB USB key called "usb.img" which has the following structure:
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000007 0000000007 Unallocated
02: 00:00 0000000008 0001943646 0001943639 Win95 FAT16 (0x0E)
Display image type and size of image file usb.img
fsstat: display details of a file system
Display detailed file system and metadata information of image file usb.img
Same as above but specifying the offset where the Win95 FAT16 file system starts in the image (offset 8)
fsstat -o 8 usb.img
mmls: display the layout of media management systems/partition tables
Display partition information of image file usb.img (Note: If it helps you in understanding the use of mmls, the output of this command in some cases can be similar to "fdisk -lu <device>")
fls: list file and directory names in a forensic image
Note: Going back to the layout for usb.img above, all of the following commands would actually be performed on offset 8 as this is where the Win95 FAT16 partition begins. This would be specified by adding the parameter "-o 8" to each command.List file and directory names of image file usb.img, and recurse on directories
fls -r usb.img
List file and directory names of image file usb.img, and display file details in "long" format
fls -l usb.img
List file and directory names of image file usb.img, and display full path of files
fls -p usb.img
List only deleted entries of image file usb.img
fls -d usb.img
List file and directory names of image file usb.img, and provide verbose output of analysis
fls -v usb.img
Display a list of file system types supported by fls
fls -f list
ils: list inode information with the following column order:
* st_ino: The inode number.
* st_alloc: Allocation status: 'a' for allocated inode, 'f' for free inode.
* st_uid: Owner user ID.
* st_gid: Owner group ID.
* st_mtime : UNIX time (seconds) of last file modification.
* st_atime : UNIX time (seconds) of last file access.
* st_ctime : UNIX time (seconds) of last inode status change.
* st_dtime : UNIX time (seconds) of file deletion.
* st_mode : File type and permissions (octal).
* st_nlink : Number of hard links.
* st_size : File size in bytes.
* st_block0,st_block1 : The first two entries in the direct block address list.
Lists inode information of only deleted files within usb.img (again going back to the layout above for usb.img, these commands would be done by specifying the offset "-o 8").
Lists inode information of all files within usb.img
ils -e usb.img
Lists inode information of file at inode 54 within usb.img
ils usb.img 54
istat: display details of a meta-data structure (i.e. inode)
Display the uid, gid, mode, size, link number, MAC times and all the disk units a structure has allocated for a file at inode 54 within usb.img
istat usb.img 54
sorter: sort files in an image into categories based on file type
Creates a list in a directory called outputdir of files, filetype & inode information for usb.img
sorter -d outputdir usb.img
Same as above but with no requirement of a directory for saving the data (i.e. output to stdout)
sorter -l usb.img
icat: copy files by inode number
Recover file at inode 54 in image usb.img, even if it was deleted, and save the results to a file called file.bin
icat -r usb.img 54 > file.bin
Same as above, but also recover the slack space along with the file, and save the results to a file called fileslack.bin
icat -r -s usb.img 54 > fileslack.bin
dcat: display the contents of disk "chunks" from a forensic image
Note: Many of the output from these commands can be replicated with other utilites such as xxd or hexdump, however dcat is shown as it is one of the tools bundled with The Sleuth Kit.Display contents in hex of one data unit from image usb.img, starting at address 0
dcat -h usb.img 0
Display contents in ASCII of one data unit from image usb.img, starting at address 0
dcat -a usb.img 0
Display contents in hex of 4 data units from image usb.img starting at unit address 0 (i.e. will show units 0,1,2,3)
dcat -h usb.img 0 4
Same as above but display the contents in HTML format
dcat -hw usb.img 0 4
hfind: lookup a hash value in a hash database
Note: You need to create an index before you can start looking up hash values. You can create your own hash database or download the National Software Reference Library Reference Data Set here.Create a MD5 index using the NSRL hash database nsrlfile.txt (an index file called nsrlfile.txt-md5.idx will be created)
hfind -i nsrl-md5 nsrlfile.txt
Create a SHA1 index using the NSRL hash database nsrlfile.txt (an index file called nsrlfile.txt-sha1.idx will be created)
hfind -i nsrl-sha1 nsrlfile.txt
Create a MD5 index using your own MD5 based hash database called trusted-WindowsXP-hashes.md5
hfind -i md5sum trusted-WindowsXP-hashes.md5
Lookup the hash value 829e4805b0e12b383ee09abdc9e2dc3c against the hash database md5sum trusted-WindowsXP-hashes.md5
hfind trusted-WindowsXP-hashes.md5 829e4805b0e12b383ee09abdc9e2dc3c
Search for matches to hashes stored in a text file lookup.md5 against the NSRL hash database nsrlfile.txt (Note: If you get an error with the command below, try instead cut -b -32 lookup.md5 | hfind nsrlfile.txt. The cut command will extract only the first 32 bytes (which should be the MD5 value) of each row within lookup.md5).
hfind -f lookup.md5 nsrlfile.txt
Various related compounded commands
See header of file at inode 54 in image usb.img
icat -r usb.img 54 | xxd | head
See tail of file at inode 54 in image usb.img
icat -r usb.img 54 | xxd | tail
Calculate 4096 divided by 512
echo "4096/512" | bc
Lookup the MD5 values of all files in /bin/ against the NSRL hash database nsrlfile.txt
md5sum /bin/* | cut -b -32 | hfind nsrlfile.txt
Search all of usb.img for printable character strings, looking for the keyword "pass" (case insensitive), and print in hexadecimal the location of the string within the image
strings -a -tx usb.img | grep -i pass