Difference between pages "JTAG Forensics" and "The Sleuth Kit"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(File Systems Understood)
 
Line 1: Line 1:
== Definition ==
+
{{Infobox_Software |
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
+
  name = The Sleuth Kit |
 +
  maintainer = [[Brian Carrier]] |
 +
  os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} |
 +
  genre = {{Analysis}} |
 +
  license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} |
 +
  website = [http://www.sleuthkit.org/ sleuthkit.org] |
 +
}}
  
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
+
'''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]] (12/16/32), [[Ext2]]/[[Ext3|3]], [[NTFS]], [[Ufs|UFS]] (1 & 2), and ISO 9660 [[file system]]s.
  
=== Forensic Application ===
+
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
 +
 +
=Features=
  
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
+
The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
  
== Tools and Equipment ==
+
Some of the commands in Sleuth Kit are:
  
* [[JTAG and Chip-Off Tools and Equipment]]
+
; blkcat
 +
: Views the contents of a [[block]].
  
== Procedures ==
+
; blkls
 +
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
  
* [[JTAG HTC Wildfire S]]
+
; blkcalc
* [[JTAG LG P930 (Nitro HD)]]
+
: Tells you where an unallocated blocks are.
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
+
 
 +
; blkstat
 +
: Details about a given block.
 +
 
 +
; icat
 +
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
 +
 
 +
; ils
 +
: Lists the files extents on a disk.
 +
 
 +
; istat
 +
: Information about an inode number.
 +
 
 +
==File Systems Understood==
 +
 
 +
* [[NTFS]]
 +
* [[FAT]]
 +
* [[Ext2]], [[Ext3]], [[Ext4]]
 +
* [[Ufs|UFS]] (1 & 2)
 +
* ISO 9660
 +
* [[HFS+]]
 +
* [[Yaffs]]
 +
 
 +
==File Search Facilities==
 +
 
 +
* Lists allocated and unallocated files.
 +
* Lists and sorts by file type.
 +
* Shows a time of creation and change.
 +
 +
==Historical Reconstruction==
 +
'''fls''' and '''ils''' can be used to create a full listing of file system timestamps.
 +
The output of these commands can be inputted into '''mactimes''' which will generate a timeline of the file system timestamps.
 +
 
 +
==Searching Abilities==
 +
 +
* Searches for keywords.
 +
* Builds an index.
 +
 
 +
==Hash Databases==
 +
 
 +
* Uses [[MD5]] or [[SHA-1]].
 +
* Interfaces with NIST [[NSRL]], [[Hashkeeper]] and customer databases.
 +
 +
==Evidence Collection Features==
 +
 +
* Tracks forensic activity.
 +
 
 +
=History=
 +
 
 +
==License Notes==
 +
 
 +
"The file system tools (in the src/fstools directory) are released
 +
under the IBM open source license and Common Public License, both
 +
are located in the license directory.  The modifications to 'mactime'
 +
from the original 'mactime' in TCT and 'mac-daddy' are released
 +
under the Common Public License.  Other tools in the src directory
 +
are either Common Public License or the GNU Public License."
 +
 
 +
== Ext4 support ==
 +
In 2011 [[Willi Ballenthin]] provided [http://www.williballenthin.com/ext4/ patches] for the SleutKit to add ext4 support.
 +
These patches were integrated by [[Kevin Fairbanks]] into a separate [https://github.com/kfairbanks/sleuthkit/tree/Ext4_Dev fork of the SleuthKit].
 +
This fork is currently being worked on.
 +
 
 +
= See Also =
 +
* [[The Sleuth Kit How-To]]
 +
* [[tsk-cp]]
 +
* The mmls [[OCFA treegraph API]] example module.
 +
 
 +
= External Links =
 +
 
 +
* [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]
 +
* [https://github.com/kfairbanks/sleuthkit/tree/Ext4_Dev Fork of the SleuthKit with ext4 support], by [[Kevin Fairbanks]]
 +
 +
==External Reviews==

Revision as of 15:38, 12 January 2014

The Sleuth Kit
Maintainer: Brian Carrier
OS: Linux,FreeBSD,OpenBSD,Mac OS X,SunOS
Genre: Analysis
License: IBM Open Source License,Common Public License,GPL
Website: sleuthkit.org

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT (12/16/32), Ext2/3, NTFS, UFS (1 & 2), and ISO 9660 file systems.

Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.

Features

The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Some of the commands in Sleuth Kit are:

blkcat
Views the contents of a block.
blkls
Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
blkcalc
Tells you where an unallocated blocks are.
blkstat
Details about a given block.
icat
View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
ils
Lists the files extents on a disk.
istat
Information about an inode number.

File Systems Understood

File Search Facilities

  • Lists allocated and unallocated files.
  • Lists and sorts by file type.
  • Shows a time of creation and change.

Historical Reconstruction

fls and ils can be used to create a full listing of file system timestamps. The output of these commands can be inputted into mactimes which will generate a timeline of the file system timestamps.

Searching Abilities

  • Searches for keywords.
  • Builds an index.

Hash Databases

Evidence Collection Features

  • Tracks forensic activity.

History

License Notes

"The file system tools (in the src/fstools directory) are released under the IBM open source license and Common Public License, both are located in the license directory. The modifications to 'mactime' from the original 'mactime' in TCT and 'mac-daddy' are released under the Common Public License. Other tools in the src directory are either Common Public License or the GNU Public License."

Ext4 support

In 2011 Willi Ballenthin provided patches for the SleutKit to add ext4 support. These patches were integrated by Kevin Fairbanks into a separate fork of the SleuthKit. This fork is currently being worked on.

See Also

External Links

External Reviews