Filesystem Analysis using The Sleuth Kit (TSK)

Dr. Bhupendra Singh

Assistant Professor

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Overview

 Understanding Hard Disks & Concept of Slack Space

 File Storage and Timestamp in NTFS

 The Sleuth Kit (TSK) & Its Capabilities

 TSK Command Line Tools

 Image Tools
 Volume Analysis Tools

 Filesystem Tools

 Conclusions
April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 Physical Structure of Hard Disk

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Cluster

 Hard drive contains circular platters that are stacked on top of

each other.

 These platters spin at the same time.

 The bottom and top of each platter is coated with a magnetic

media.

 A sector can contain 512 bytes. The minimum size OSes write
on the disk.

 Data unit – sectors (frequently 8) are grouped to form a data

unit

 (Cluster/block): Data unit is the minimum size of a file on the

hard disk. Cluster is the unit of allocation for files.
April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 Slack Space

Figure 3 : Slack space of a 2248-bytes file in a 4KB cluster

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Cluster Size
Cluster size has a significant impact on the
performance of an Operating System and disk
utilization.
Cluster size depends on the size of disk
partition and the type of the filesystem
installed on the partition. Cluster size can be
altered for optimum disk storage.
Larger cluster size (greater than one sector):

 Minimizes the fragmentation problem

 Increases the probability of slack space (internal
fragmentation)
 Reduces disk storage area to save information
 Reduces the unused area on the disk Figure : Impact of cluster size on slack space
April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 Understanding File Systems

A filesystem is a method and data structure that the operating system uses to control how
data is stored and retrieved.

By separating the data into pieces and giving each piece a name, the data is easily isolated
and identified.

For storing and retrieving files, file systems make use of metadata, which includes the date
the file was created, data modified, file size, file name and so on.

It provides a mechanism for users to store data logically in a hierarchy of files and directories.

Major filesystems include FAT, NTFS, HFS, HFS+, Ext2, Ext3, Ext4 etc.
April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 1. NTFS
NTFS (New Technology File System) is the file
system was introduced in 1993 for Win NT 3.1 and
is now default file system for NT based OS (Win NT,
2K,2K3, XP, ...)

Main feature list includes journaling, encryption,

compression, sparse file support, disk quotas,
reparse points etc.

Everything is a file, even the core file system

internals which are always hidden from the user.

Microsoft reserves first 16 MFT entries for the file Hidden files and folders in
system metadata files. NTFS
April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 Metadata files stored in the MFT

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 MFT
Master File Table - $MFT :
 For each file on disk and directory , there is a
corresponding unique entry of 1KB in MFT.
 An MFT entry record consists of header and multiple
attributes which store metadata information about
files and directories.
 All entries have: $SI, $FN and $DATA attributes.
 The $SI attribute stores information about MACE
timestamps, owner ID, security ID, etc.
 The $FN attribute stores information about file name,
size, and a set of duplicated MACE timestamps.

Timestamp on NTFS : (can query using fsutil)

 64-bit value representing no. of 100 nanosecond intervals since 1st
January 1601
April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 MFT Attributes
 Every MFT attribute is identified by an attribute type identifier and attribute name.
 There are two categories of attributes:

 Resident attributes: These are the attributes contained in the MFT entry.
 Non-resident attributes: These are the attributes that are allocated with one or more clusters
of disk space.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 File storage

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 What is The Sleuth Kit (TSK)
 After successful data acquisition, the next step brings us to
examining the evidence and analyzing the disk.

 The Sleuth Kit (TSK) is open source software that allows you
to forensically analyze disk images and local drives.

 It is a library and collection of Unix- and Windows-based

utilities for extracting data from disk drives and other
storage so as to facilitate the forensic analysis of computer
systems.

 The Sleuth Kit is capable of parsing NTFS, FAT/ExFAT, Ext2,

Ext3, Ext4, HFS, ISO 9660 and YAFFS2 filesystems either
separately or within disk images stored in raw (dd), Expert
Witness or AFF formats.

 Autopsy is original graphical interface (UI) to TSK.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 TSK Layers

error handling, types, and convenience functions

Can open and process disk images in various formats

create an index
of hashes and
Processing data as a volume system, e.g., DOS perform fast
partition tables lookups of them

processing data as a file system, such as FAT or NTFS.

integrates all of the previous layers

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Scenario
You have a disk image and want to look for specific files.
 TSK will auto-detect the image format

 TSK will auto-detect the volume system and layout:

 What sectors are allocated to partitions

 What sectors are not allocated to any partitions

 TSK will auto-detect the filesystem type and can search for your file (even if it is deleted):

 Analyzes the directory hierarchy in file system.

 Identifies files that have been marked for deletion.

 Searches for “orphan files” that no longer have a name.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 Current Capabilities

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Command Line Tools
Image Layer Tools
• img_stat: tool will show the details of the image format.
• img_cat: This tool will show the raw contents of an image file.
Disk Tools:
• disk_sreset: This tool will temporarily remove a HPA if one exists. After the disk is reset, the HPA will return.
• disk_stat: This tool will show if an HPA exists.

Volume Layer tools

• mmls: Displays the layout of a disk, including the unallocated spaces.
• mmstat: Display details about a volume system (typically only the type).
• mmcat: Extracts the contents of a specific volume to STDOUT.

Filesystem Layer tools

• tsk_comparedir: Compares a local directory hierarchy with the contents of raw device (or disk image). This can
be used to detect rootkits.
• tsk_gettimes: Extracts all of the temporal data from the image to make a timeline. Equivalent to running fls with
the '-m' option.
• tsk_loaddb: Loads the metadata from an image into a SQLite database. This allows other tools to be easily
written in a variety of languages and give them access to the image contents.
• tsk_recover: Extracts the unallocated (or allocated) files from a disk image to a local directory.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Filesystem Tools
fsstat: Shows file system details and statistics including layout, sizes, and labels.

• blkcat: Extracts the contents of a given data unit.

• blkls: Lists the details about data units and can
extract the unallocated space of the file system.
• ffind: Finds allocated and unallocated • blkstat: Displays the statistics about a given data unit
file names that point to a given meta in an easy to read format.
data structure. • blkcalc: Calculates where data in the unallocated
• fls: Lists allocated and deleted file space image (from blkls) exists in the original image.
names in a directory. This is used when evidence is found in unallocated
space.

• icat: Extracts the data units of a file, which is specified by its meta data address (instead of
the file name).
• ifind: Finds the meta data structure that has a given file name pointing to it or the meta
data structure that points to a given data unit.
• ils: Lists the meta data structures and their contents in a pipe delimited format.
• istat: Displays the statistics and details about a given meta data structure in an easy to
read format.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 TSK in Action

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Image tools

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Filesystem Info using fsstat
Using fsstat, we get a whole bunch of information about the file system.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Read the files and directories using fls
Using fls, we get a list of files in a directory. It shows deleted and orphan files.

 fls -r -m / NTFS_2.001 >

body.txt (recursively walk
to directories and prints
output to a file).

Deleted files are indicated with a ‘*’ symbol before them

 Deleted files are indicated
with a ‘*’ symbol before
them.

 Apart from regular files,

we see a dot ‘.’ before a
filename, indicating that
the file is hidden.
April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 Metadata information using istat
Data attribute (identifier is 128) If the content is over 700 bytes, it will probably be a non-resident
attribute.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Retrieving contents of a hidden file using icat
You can use the icat tool if you have to read the contents of a particular file, without recovering
the drive.

 You can also read the

contents of a hidden file
using this command.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Retrieving contents of a block(s) using blkcat
You can use the blkcat tool to display the contents of file system data unit in a disk image.

 blkcat -h NTFS_2.001 2851447

 blkcat -h NTFS_2.001 2851447 2

(read binary data from first two
blocks)

 No. of blocks: default is 1.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Retrieving the files using tsk_recover

 Using tsk_recover tool, we can export files from an image into a local directory.

 We can execute the command below specifying the path where you want to store
recovered files.

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

 Conclusions

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based tools and utilities
to allow for the forensic analysis of computer systems. It was written and maintained by
digital investigator Brian Carrier.

TSK typically involves data recovery, extracting hidden files, accessing protected content if
technically feasible and legally appropriate, etc.

TSK is normally used in conjunction with its custom front-end application, Autopsy, to
provide a user friendly interface.

TSK can be used for understanding what data is stored on a disk drive (even if the operating
system has removed all meta data), recovering deleted image files, and searching for files by
name or included keyword.
April 8, 2024 Filesystem Analysis using TSK © IIIT Pune
 Contact

You Can’t Protect What You Don’t Know About !!!

Thanks for your attention.

Contact:

Email: bhupendra@iiitp.ac.in, bhupi.pal08@gmail.com

ORCID: http://orcid.org/0000-0003-3357-1398

Google Scholar: https://scholar.google.com/citations?user=cKAcqYkAAAAJ&hl=en

ResearchGate: https://www.researchgate.net/profile/Bhupendra_Singh38

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune

April 8, 2024 Filesystem Analysis using TSK © IIIT Pune