Friday, February 24, 2012

Forensics Quickie: Extracting Unallocated Space with The Sleuth Kit

FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

You'd like to do a keyword search -- not only within user documents, but within deleted items, as well. We will need to extract unallocated space, first and foremost.

The Solution
Boot up a Linux VM (I chose Ubuntu) and install The Sleuth Kit:
  • sudo apt-get install sleuthkit
If you are working with a non-raw container (E01, AFF), use xmount to "convert"* it to a dd image. Split images can be accounted for by using questions marks:
  • sudo apt-get install xmount
  • sudo xmount --in ewf ~/image.e?? /mnt/foo
Use mmls to find the offset of the partition for which you'd like to extract the unallocated space (using our newly created .dd image as input):
  • mmls /mnt/foo/image.dd

Using the starting sector of the desired partition as the offset, run blkls and output the unallocated space to a file:
  • sudo blkls -o 411648 /mnt/foo/image.dd > ~/Evidence/image.unalloc
And that's it! Now you can do whatever you'd like with that unallocated space.

Thanks to @chadgough for spurring this post.


*It's not actually a conversion; it's a representation of the original image.
1. The Sleuth Kit
2. xmount