An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4.3. FORENSIC TOOLS 25<br />
4.3.1 The Sleuth Kit<br />
The Sleuth Kit[Carrier, 2012a] is a collection of programs <strong>for</strong> analys<strong>in</strong>g the<br />
data on a hard disk respectively on an image of it[Carrier, 2012b]. It was<br />
developed by Brian Carrier, author of [Carrier, 2005]. The programs are subdivided<br />
<strong>in</strong>to categories. The tools are subdivided accord<strong>in</strong>g to the categories<br />
that are shown <strong>in</strong> section 4.2.1:[Carrier, 2012c]<br />
• File System<br />
fsstat Shows le system details and statistics <strong>in</strong>clud<strong>in</strong>g layout, sizes,<br />
and labels. <strong>An</strong> example output is shown <strong>in</strong> the appendix <strong>in</strong> list<strong>in</strong>g<br />
B.1.<br />
• File Name<br />
s Lists allocated and deleted le names <strong>in</strong> a directory.<br />
• Metadata<br />
icat Extracts the data units of a le, which is specied by its meta<br />
data address (<strong>in</strong>stead of the le name).<br />
<strong>An</strong>other set of tools can be used to extract the le system structure from a<br />
disk or disk image.<br />
• mmls Displays the layout of a disk, <strong>in</strong>clud<strong>in</strong>g the unallocated spaces.<br />
For most commands an oset of the beg<strong>in</strong>n<strong>in</strong>g of the image is required, as<br />
the image does not necessarily start with the rst partition or the partition<br />
one wants to analyse. The mmls command displays the structure of the<br />
image and the required oset can be read from the output. The output <strong>for</strong><br />
the example of section 3.2 is similar to the example given <strong>in</strong> list<strong>in</strong>g 4.1. In<br />
this example the rst partition starts at 63. The tools <strong>for</strong> extract<strong>in</strong>g the<br />
<strong>in</strong><strong>for</strong>mation from this partition need to be started with -o 63.<br />
DOS Partition Table<br />
Offset Sector : 0<br />
Units are <strong>in</strong> 512 - byte sectors<br />
Slot Start End Length Description<br />
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)<br />
01: ----- 0000000000 0000000062 0000000063 Unallocated<br />
02: 00:00 0000000063 0020948759 0020948697 NTFS (0 x07 )<br />
03: ----- 0020948760 0020971519 0000022760 Unallocated<br />
List<strong>in</strong>g 4.1: Sample output of mmls