Friday, February 24, 2012

Forensics Quickie: Extracting Unallocated Space with The Sleuth Kit

FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

Scenario
You'd like to do a keyword search -- not only within user documents, but within deleted items, as well. We will need to extract unallocated space, first and foremost.

The Solution
Boot up a Linux VM (I chose Ubuntu) and install The Sleuth Kit:
  • sudo apt-get install sleuthkit
If you are working with a non-raw container (E01, AFF), use xmount to "convert"* it to a dd image. Split images can be accounted for by using questions marks:
  • sudo apt-get install xmount
  • sudo xmount --in ewf ~/image.e?? /mnt/foo
Use mmls to find the offset of the partition for which you'd like to extract the unallocated space (using our newly created .dd image as input):
  • mmls /mnt/foo/image.dd

Using the starting sector of the desired partition as the offset, run blkls and output the unallocated space to a file:
  • sudo blkls -o 411648 /mnt/foo/image.dd > ~/Evidence/image.unalloc
And that's it! Now you can do whatever you'd like with that unallocated space.

Thanks to @chadgough for spurring this post.

-Dan (@4n6k)

*It's not actually a conversion; it's a representation of the original image.
References
1. The Sleuth Kit
2. xmount

Sunday, January 8, 2012

Forensics Quickie: Recovering Deleted Files With Scalpel (.CR2 Photos)

FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

Scenario
SD card was accidentally formatted; RAW photos in .cr2 format from a Canon Rebel T3 needed to be recovered.

The Solution
Boot up a Linux VM (I chose Ubuntu) and install Scalpel with:
  • sudo apt-get install scalpel
Check to see if the required filetype signature is supported by Scalpel by default:
  • sudo vi /etc/scalpel/scalpel.conf
If it's there, simply uncomment it. If it's not there, add an entry for it. I didn't see .cr2 in there, so I added my desired extention (cr2), signature case sensitivity (y), filesize (17825792), and header signature (with no footer) with this entry:
  • cr2     y       17825792 \x49\x49\x2A\x00\x10\x00\x00\x00\x43\x52
Run Scalpel with parameters for the desired image file (it can be a split image) and the output directory:
  • scalpel [imageFile.dd] -o [outputDir]
Of course, you can also do this with other filetypes, as well. But if you ever need to add unsupported filetypes to scalpel.conf, that's how you do it. And if you find that your custom signature entry works, be sure to email it to the creators.

-Dan (@4n6k)

References
1. Download Scalpel: Digital Forensics Solutions