Disk Information / Direct Access               

·         # fsstat disk.img

o   Displays details of the filesystem contained in the disk image 'disk.img'

o   fsstat can give you info such as :

o   the filesytem type (fat16/32, ntfs etc.)

o   Number of reserverd sectors

o   Sectors contained withing each fat table and their offset (in sectors)

o   Root directory offset (in sectors)

o   Sector and cluster sizes

·         # fls disk.img

o   Lists the files and directory names in disk.img. By default, it will display the file names of recently deleted files as well.

·         # fls -d disk.img

o   ists ONLY the recently deleted file entries

o   The fls program will give you the repective inode numbers for each directory/file entry.

·         # ils -e disk.img

o   will list the inode information for every inode. If you remove the '-e' option, by default the program will list inode information for only removed/deleted files. The output information is not human friendly but it can be piped to the mactime program for better analysis

·         # icat disk.img 5

o   copies the data occupied by inode 5 in disk.img. You can use the output of the fls program to obtain these inode number to choose from.

·         # icat -r disk.img 5

o   the '-r' option allows for file recovery techniques to recover the file pointed to by inode 5. This option is only useful with deleted inode entries.

·         # istat disk.img 5

o    Displays the details of the meta-data for inode 5. Details include file size, name, Written, accessed and created time, starting sector and sectors that the inode entry (5) occupies

·         # ifind -n "test.jpg" disk.img

o   searches for test.jpg then if found, returns the respective inode number

·         # ifind -d 536 disk.img

o   finds the relative inode number given the respective sector num (536 in this case)

·         # dls disk.img

o   By default dls copies the data from unallocated blocks only. Add the '-e' option and dls would copy every block, with the output being similar to the dd program

·         # dcat disk.img 12

o   will display the contenst of sector #12

·         # sigfind 424d disk.img

o   searches for the magic bytes '424d'(typical for BMP files) throughout the disk image disk.img and return the sector offsets of the hits.

·         # sigfind -l 4d42 disk.img

o   This command will parse throught the entire disk image looking for the magic bytes of "424d" and return the sector offset of the result. The '-l' options means takes the magic bytes to search for in little indian format and must therefore be reversed, hence in our example, -l 4d42.

Keyword searches throughout a disk image -  strings command

·         # strings -t d disk.img > index.lst

o   The '-t d' option displays the offset in decimal in which strings can be located or referenced to. You can then use the grep program to parse the strings.lst file for text.

·         # grep -f kewords.txt index.lst

o   keywords.txt can be a simple file with keywords like "pass", "password", "confidential", "Credit card", "username", "login", etc. with each word being on a line by itself.

File activity information

·         # fls -m "/" disk.img | mactime .b

o   The output of this command will create an ASCII time line of file activity

·         # ils -m -e disk.img | mactime .b

Files Recovery

·         # fatback /dev/sdb

o   You will be presented with fatback's sub prompt. You can type 'Help' to see the list of commands avaiable to you. The commands are quite easy to understand and intuitive to use so i will not rant on this tool any longer.

·         # photorec /dev/sdb

o   This would put you through photorec's interface. The interface is very easy to understand and follow.

·         # scalpel .c config.file /source/ /destination

·         # foremost -i file.img -t doc -o /root/Foremost_Dir -c /etc/foremost.conf

o   '-i': Input file(image). Can specify a drive or partition as well, /dev/sda1

o   '-o': Folder to dump the recovered files in

o   '-t': Type of file to search for. Default is to search for all known file types in its config file.

o   '-c': [optional] Sets the config file to use. If left out, foremost is gonna use its defaul config file located at /etc/foremost.conf

PCAP file

·         # tcpflow -r evidence02.pcap

o   Map netflow

Hex Dump

·         # xxd -l 4 test.docx.base ans: "55457344"

·         # xxd -ps file1 > file2

·         # xxd -ps -r file2 > secretrendevouz.docx.base64

Conversion / Hashing tools

·         # base64 test.docx > test.docx.base64

·         #md5sum secretrendevouz.docx

�bsp;     #convert - various manipulations of image files

ï      #stegdetect - find some of the well known steganographyin the image files

�      #exif - read image metadata