 Welcome back everyone. Today we're going to be talking about SleuthKit and this is going to be a general introduction into some of SleuthKit's tools. So I am currently running on a Linux computer, running Ubuntu, but most of the commands will also work if you're using SleuthKit on Windows. They'll just be slightly different the way that you access different files and things like that. So most of these commands should work on Windows or Linux. If you have SleuthKit installed, just be aware that there is a little bit of a difference between the way the paths are written. Okay? So first, I already have SleuthKit installed. If you're on Ubuntu, you can install it from the Package Manager. If you're on Windows, you can download the Windows executables from the SleuthKit website. And I know that it's installed because I can type, for example, one of the SleuthKit tools called MMLS. MMLS. And if we do MMLS dash capital V, okay, dash capital V, then we can see what version of the SleuthKit tools that we have installed. And I'm currently using version 4.3.1, and that's the most recent version as of today. If you're using a version that's quite different than that, I recommend upgrading and basically try to keep your tools updated as much as possible. But if you're using some of them from the Package Manager in Ubuntu, they will be a little bit older. So maybe just compile them yourself if you know how to do that. If not, Package Manager tools will still work fine. You just might be missing some features. Okay? So first, from the command line, make sure you can actually run your tools. So here I ran the command MMLS, and then dash V, and that gives me the expected output. So at least I know my tools are working. I'll tell you a little bit about my setup. I'm currently inside my images folder, an image folder. And if I do LS, if I type LS, then I can see all of the files inside that directory. Okay? So LS shows me the files inside that directory. And I see that I have this 4gbusb.dd and 4gusb.info. And if we want to see what's inside, well, technically both of these, but if I want to see what's inside this info file, then I can do cat, cat, which is used for concatenation, but it can also output output whatever is in the file to the screen. So we can do cat, 4gbusb.info. Okay? And then that will list basically all of the text inside of this info file. And this is just created, an image was created using Gaimager, and it just has information about a little bit about the system that created it, some of the commands that created it, information about the device itself. Yeah, and then the hash value. So again, the hash value is going to be one of the most important values. So here we have this hash value d0, d8, ending, well, I'll just say ending with 5efd. Okay? So the first thing we're going to want to do, I'm going to clear this. The first thing we want to do before we start working with this image is hash the image. And it was an md5 hash. So I can use md5 sum on this 4gbusbdd. Okay? And md5 sum will then calculate the hash value of this four gigabyte disk. And it should be the same value that was registered inside this 4gbusb.info. And here we have this 5efd. So we know that this image and whatever was created, at least in this image, the info file are the same image. So now we have a good starting point. We know that the hash value at least matched from the recorded hash value, assuming the recorded hash value is correct. Okay? So so far we've looked into this info file to get information about the image. And then we created a hash of our disk image using md5 sum. Okay? So that's all we've done so far. We haven't actually used SleuthKit tools to do anything except look at the version of the SleuthKit tools that are installed on this system. So the first thing I'm going to do, I have this image and let's say I don't know anything about this image. So I need to start by gaining a little bit more information about what is going on with this image. So I can do imgstat. And this is a tool that's also part of the SleuthKit. It's imgstat. And basically for imgstat, you just give it the image directly. Okay? Now my image is a raw disk image. It's a DD image, right? So we have a raw disk image. If this was an E01 file or another type of disk image, then some of these tools might not work as expected. So the first thing to make sure of is that you're actually working with a raw disk image, or you have like lib EWF installed. So that way you can work with expert witness format images. Okay, so image stats, imgstat, and then the image name, press Enter. And then we see that image type is raw. And it gives the size and bytes. Okay, so relatively small image, we know that we're dealing with a raw disk image. And even though it says DD, we would expect a raw disk image. But this just confirms that it looks like at least that it's a raw disk image. Okay, so now that I know that I'm dealing with a raw disk image, we can run MMLS and the disk image name. And this gives us information about the disk itself. Okay, so it has a DOS partition partition table. The offset sector is zero. Units are in 512 byte sectors. And this is this is going to be important for some of the analysis we might do later. Okay, now, each of these entries are basically either the partition table, an allocated space, or partitions themselves. Okay, so now we can actually see the layout of the physical disk. So this basically tells me MMLS and this this for MMLS and the image name tells me the layout of the actual disk. Okay, now this is very important, because now I know the start point of the partition that I'm interested in analyzing. Okay, so here we have basically three entries. Now there, I mean, there could potentially be something actually know the unallocated space and the length is, there could be something potentially in this unallocated space, maybe not a lot of space really to work with primary table. So I might be interested in analyzing these two a little bit, but this Windows 95 fat 32 looks like the only real partition on the disk. So I know that this four gigabyte USB disk is a raw disk image. And I also know that is a that it is a physical disk image, and it's not a logical disk image. If it was a logical disk image, MMLS would give us an error, because it wouldn't be able to basically parse out the partition table. Yeah, so in this case, be aware of the difference between a physical disk image and a logical disk image. If it's a physical disk image, you will most likely get some sort of output like this. If it's a logical disk image, then you're just basically have an image of only this part. And you'll get an error whenever you give give that image to MMLS. So make sure so far, make sure you're aware of whether your disk image is a raw disk image or some other format. And also make sure you know whether your image is a physical disk image or a logical disk image. What are we actually analyzing here? Okay. So mine's a physical disk image because I can see that it's the entire disk. And I want to focus in on this partition. So this Windows 95 fat 32 partition, and the offset, the place where this partition begins is 11264. Okay, so I want to focus in on this partition specifically and start to analyze or get information out of this partition. Okay, so the next thing we can do after MMLS, we know the offset of the partition we want to look at is use f s stat dash Oh, okay, f s stat dash Oh, and that dash Oh, gives me with the with dash Oh, I should give it an offset of 11264. Okay. And that means that basically we're trying to get the file system information from a partition that starts at this particular offset. Well, there's only one partition that starts that offset. And it's this one. What is the file system installed on that partition? It's fat, it's recognized as fat 32. At least we're not sure if it is fat 32 yet, but it's recognized as fat 32. Okay, so f s stat dash Oh, and then the offset of the partition starting offset of the partition that we want to analyze and the name of the, the disk that we want to analyze. Okay, so f s stat, and then it gives us a lot of information. Let's scroll back up. Okay, so what can we find here file system information for this partition? OEM name m s dos five. Okay, it's looking like it's most likely fat 32 volume ID. No name for the partition file system type label fat 32 next free sector case one more sector information file system layout total range fat one fat two where are they located at? Yeah, so basically just information about the file system itself everything that we can see. Okay. Yeah, so fat contents, etc. Okay, so that gives us information about the file system. And the fact that we could actually get that information means that there is, well, it looks like a valid file system there. I'm gonna go ahead and clear this. So next we want to look into basically the directories in the file system. Once we know that there's a file system there, we're interested in the files themselves. So I can do f l s dash Oh, and I forget the offset. I'll just do f l s dash Oh, so f l s dash Oh, and then the offset of the partition that I'm interested in, and the disk image. And then that will give us information about directories. Here we have directories and regular files inside that partition. Okay. So here we have directories, regular files in that partition. And this has been used quite a bit to do a lot of different things. One thing that you might notice already, we have these CR downloads, which is like a Chrome download. So basically an image, this image, most likely, or one of these images, was most likely downloaded into this USB stick or this drive. And then the CR download was deleted, whatever it was renamed. Yeah. Okay, I'm looking for anything else. We have a couple other deleted files. Yeah, couple deleted directory. So I have this directory here, apparently called pace, but with this underscore, which means that most likely it was deleted as well. So I'm going to go and let's say we want to look into this, it's I node 112. Okay, so fls dash o 11264 lists all of the files in the root directory. So fls is listing files. And basically, because we didn't give it any other commands, we're just listing in the root directory of that partition on that disk image. So from the disk image, we found the partition offset inside the partition, we're listing only the root directory, we can go through recursively listing all of the files. But so far, we're only listing root directory. Okay, so now I'm going to go into we're going to look, for example, at let's say this win md5 some portable, I want to see if there's any files inside of this folder, I know it's a directory because this DD, we have the I node of 25. So let's go ahead and try to get in there. So we can just type fls, give it the offset of the partition that you want to look at on the physical disk, the physical disk image, and then the the the I node of the folder that you want to look into. And in our case, it's 25. So I can hit enter. And then this gives me a couple files, regular files, and a couple more folders. So I can use this basically to go through and look at different files and folders just directly using sleuth kit as a parser. In in later videos, we'll go through about how to actually extract this data. Once we identify files, files or folders that we're interested in, how we can use sleuth kit to extract this data. So I hope that was helpful for at least getting started. The biggest thing to think about is, first off, you need to you need to get information about the image with image stat, img stat, and then the disk, the disk image that you're going to analyze. So first, we're going to get information about the disk image to make sure, make sure it's the right type, basically, then we want to use mml s to get the layout of the disk image, right? So we can actually see if it's a physical disk or if it's a logical disk, if it's a physical disk, we know that we're going to have to use offsets. If it's a logical disk, you do not have to give the offset. So in our case, we have a physical disk image. So we need to get the offset of the partition that we want to actually analyze, which in our case is 11264. Okay, and then you can use FS stat, and the offset 11264 with the disk image name for GB, USB DD. Okay, so in this case, we can get the file system information from the partition at offset 11264. And if there's multiple partitions in here, I can give the starting offset for multiple partitions and different commands to find out what file systems are installed. And then FLS lists the files within a given partition by default, just in the root directory, but you can list, for example, recursively, you can list deleted files, you can do a lot of different listings there. 1124, and then you have to give it the disk image name, right? And then that gives me a list of all of the files. And then if I want to look into any particular file or folder, I need to give the i node address of the actual folder, or potentially the file that I'm interested in. So we'll use the i node address for the files later to extract the data. So that's pretty much it for starting. If you are stuck on any of the commands. So for example, mmls, if you don't know how to use mmls, you can just type mmls or any of the commands without any arguments, and it will give you a help menu. And this help menu is extremely helpful really, learn how to use help menus, especially in basically most programs in Linux, but especially for the sleuth kit, it will tell you a lot of different things. So let's just for now do do the help menu for FLS. Okay, I'm gonna clear this FLS. Let's just go through this. So first, FLS is the command. Okay, and then everything in brackets is basically not required. These are options that you can give the program. Yeah, just everything in brackets is recommended. And then we see that this image is not in brackets, and it is required. Okay, so here, anything not in brackets, you have to have everything else is potentially optional. Now, if you give for example, FLS, and just the image name for GB us ddd, then we're going to get an error that says cannot determine file system type. Okay, the reason for that is, is we have a physical disk image. Okay, and because it's a physical disk image, it doesn't know where the file system actually starts and ends. Okay, so in this case, cannot determine file system type, because we have to give it the actual offset here. So if you're getting the cannot determine file system type error, given an offset of, I don't remember exactly what it was one one something something. Okay, so you need to give it at least the offset of the where the partition begins, if you have a physical disk image, if you have a logical disk image, you do not have to. Okay, so if I node is not given a root directory is used. So in our first commands, we didn't use an I node and the I node goes at the end of the command, we didn't use an I node. So the root directory was was used or listed. In this case, dash a display dot and dot dot entries, these are basically the current directory and prior directory entries. Some people list that just so they kind of know where they are. There's a couple different uses for that, but you don't need to list them. dash D display deleted entries only. So maybe you only want to display deleted files and folders, you can use dash lowercase D display only directories with uppercase D display only files with dash F display long version with dash L basically displays the more file path information dash I image type. So some image types cannot be determined. So you can give it dash I and then say the image type that you want to use, whether it's raw or some other image type and you can use dash I list for supported types. So for example, we can use FLS dash I list. And it supports at least in my version, raw image types, either single or split, AFF, AFD, AFM, AFF lib and EWF. Okay, so those are all the file types that my version of sleuth kid is supporting because I have different libraries installed. Okay, dash M display the output in Mac time input format with there is the actual mount point of the image. Mac time format is what a lot of other tools use. So if you want to export the output of FLS and then put them into another tool, they're usually asking you for Mac time output. And we'll talk about that later. dash O is the image offset. And we've already used that the offset in the image file and sectors. So we really need to know the image offsets to be able to analyze the data dash P displays the full path for each file again, path. Yeah, path dash R recurs on all the directory entries or list every file and directory in the disk image dash U display undeleted entries only. Okay, undeleted entries dash V verbose output dash capital V print the version dash Z is the time zone of the original machine. So sometimes it's important to set the time zone of the original machine and dash s seconds time to skew of the original machine. So again, a couple different options. We right now we will just show you if you use dash R. So in this case, FLS dash O 11264. Right. And let's say we can find out where we need to put dash R up here. So it should be FLS dash and then whatever your options are. So I need to put dash R before dash O. Okay, so FLS dash R dash O give the offset number. So dash O is expecting something afterwards, but dash R is not. And then we give the disk image. And then I don't need this I know it because I'm going to list all of the files. So if I hit enter, then it should list very quickly because there wasn't a lot. There's not a lot of files inside this but you see that we're actually going into each folder and then listing all of the files and folders in each folder. So this gives us a recursive list of all of the files and folders for the entire disk. So that's it for introduction to SleuthKit. I hope the commands make sense or at least you're able to access the help menus. If you use, for example, mmls without any arguments, or if you use mmls yeah, just mmls without any arguments, any of the SleuthKit commands without an argument will give you this this help menu. Okay. So that's it for today. Thank you very much. If you liked this video, please subscribe for more.