Skip to content

Forensic Labs

links: DF TOC - Labs & Tools - Index

Document the filesystem (separate for each partition)

  1. How many blocks are allocated?

  2. Use the fsstat command from Sleuth Kit to display filesystem statistics, including the number of allocated blocks. 

    fsstat /path/to/image

  3. How many normal files and directories?

  4. Use the fls command to list files and directories, then count them. 

    fls -r /path/to/image | grep 'r/' | wc -l  # Count regular files
fls -r /path/to/image | grep 'd/' | wc -l  # Count directories

  5. How many deleted files and directories?

  6. Again, use fls with the -d option to list deleted files and directories. 
    fls -r -d /path/to/image | wc -l

Sectors and blocks

  1. Choose a random sector number inside a partition

  2. Use a hex editor like xxd to view a sector. 

    xxd -s $((sector_number * 512)) -l 512 /path/to/image

  3. View the sector with a hex editor

  4. You can use xxd as shown above to view the sector data in hexadecimal.

  5. In what filesystem block is the sector?

  6. Use blkcat from Sleuth Kit to map a sector to a filesystem block. 

    blkcat -o partition_offset -b block_size /path/to/image sector_number

  7. Is the block allocated?

  8. Use blkls to list allocated blocks. 

    blkls /path/to/image

  9. If yes, what is the file name?

  10. Use fls and icat to find the file name associated with the inode. 
    fls -r /path/to/image | grep inode_number

Document the files in one filesystem

  1. Choose a filename (from fls -r)

  2. Use fls to list files recursively. 

    fls -r /path/to/image

  3. What is the inode or MFT number?

  4. The fls output includes the inode number.

  5. How many blocks does it use?

  6. Use istat to get inode information, including the number of blocks used. 

    istat /path/to/image inode_number

  7. What is the logical file size?

  8. The istat command output includes the logical file size.

  9. Extract the file

  10. Use icat to extract the file. 

    icat /path/to/image inode_number > output_file

  11. Extract the file slack

  12. Use blkls and icat together to extract slack space. 

    blkls -s /path/to/image | icat /path/to/image inode_number > file_slack

  13. What are the timestamps?

  14. istat provides detailed timestamp information (access, modification, creation times).

Deleted files

  1. Find a deleted file (from fls -r)

  2. Use fls -r -d to list deleted files. 

    fls -r -d /path/to/image

  3. Is it already overwritten?

  4. Use istat to check if the inode or data blocks have been reused.

  5. Recover the file (if possible)

  6. Use icat to recover the deleted file if it has not been overwritten. 
    icat /path/to/image inode_number > recovered_file

links: DF TOC - Labs & Tools - Index