Note: This activity takes place in a Linux system environment using SANS SIFT Workstation, a collection of forensic tools. For instructions to download and set up this environment, click Virtual Workstation in the toolbar.
Time: This activity should take you approximately 30 to 60 minutes to complete.
SANS Investigative Forensic Toolkit (SIFT) Workstation
Note: You have to create your own account for this SIFT workstation download.Download the image file, Linux Financial Case.001. Extract the .zip file and validate its hash values for both md5 and sha1.
MD5 (Linux Financial Case.001) = 7b39de0ca146c89ad73d1d421c8f7a05SHA1 (Linux Financial Case.001) = c7b06f006ff79711e692bd2620aba4cc2a4426d2During this unit, we looked at Sleuthkit. In this exercise, we’ll practice using the Sleuthkit tools at data layer, meta data layer, file system layer and file name layer.
The steps provided here are only guidelines. Please feel free to try a variety of Sleuthkit tools with different options to fully understand this powerful toolkit.
You may want to review my demonstration video Sleuthkit Commandline Demo before beginning this activity.
Launch SIFT Workstation 3. The default login username is sansforensics, and the default password is forensics
Use the Sleuthkit commandline tools to analyze the image file you are using. (If you are not using Linux Financial Case.001 as the image file, replace Linux\ Financial\ Case.001 with the name of the file you are using in the commands listed.)
Open the SANS Investigative Forensic Toolkit (SIFT) Workstation.Find the offset of the starting sector for the partition.Command: mmls imageNameFind the image’s file system information (use the offset you got from mmls in step 2). Command: fsstat –o offset imageNameUse fls to list the files and directory names. Command: fls -o offset -f ext2 -m “/” -r Linux\ Financial\ Case.001 > flsBodyUse ils to list all inode information.Command: ils -o offset -f ext2 -m Linux\ Financial\ Case.001 > ilsBodyChoose an inode from your fls list, for example, 46082. (If you use a different innode, replace 46082 with the appropriate number in these exercises.)
Use istat to view the details of this inode number. Command: istat -o offset -f ext2 Linux\ Financial\ Case.001 46082Use icat to dump out data.Command: icat -o offset -f ext2 Linux\ Financial\ Case.001 46082Find its filename.Command: ffind -o offset -f ext2 Linux\ Financial\ Case.001 46082Choose a datablock number from your istat result, for example, 197122. (If you use a different datablock number, replace 197122 with the appropriate number in these exercises.)
Dump out the data content.Command: blkcat -o offset -f ext2 Linux\ Financial\ Case.001 197122Find the inode number that this datablock belongs to.Command: ifind -o offset -f ext2 -d 197122 Linux\ Financial\ Case.001Answer the Check Your Work questions.转载于:https://www.cnblogs.com/sec875/articles/10015588.html
