SANS Digital Forensics and Incident Response Blog

More command line forensics fu

Recently, I was asked to if I could recover all images from a hard disk drive that could be linked to a specific digital camera. In this case, the EXIF data contained the make, model and serial number of the camera in question. Using some simple command fu, I was able to quickly recover all of the images. I could have used GUI tools, but I believe in keeping my command line skills polished so I try to use them as much as I can.

Here's how I did it. For the sake of demonstration, I'm using the ipcase_ntfs.img from SANS Security 508: Computer Forensics, Investigation and Response, but the concepts are the same for any hard drive image.

To begin with, extract the strings from the image as follows:

strings --radix=d image_file > image_strings.txt

Using the --radix=d causes the strings command to include the byte offset in decimal where the given string occurs in the image_file.

Next I grepped out all the lines matching the camera's serial number. For this demonstration, I'll pull out each line of the strings file that contains a reference to exif as follows:

grep -i exif image_strings.txt > hits_exif.txt

Here is a screen shot of the resulting hits_exif.txt file:

Sample contents of hits_exif.jpgSample contents of hits_exif.jpg

From here we can craft a single compound command line statement that will recover each file containing EXIF data and verify that the files recovered are image files. Here it is:

for k in $(for i in $(awk '{print $1}' hits_exif.txt); do declare j=$i/4096; ifind ipcase_ntfs.img -d $j; done | sort | uniq); do icat ipcase_ntfs.img $k > $k; file $k; done

The standard out for this command is:

Standard out for our compound commandStandard out for our compound command

Let's break this command down working from the inside out, the inner for loop takes the decimal offset value for each hit in the hits_exif.txt file and divides it by 4096 which is the cluster size for our file system image. We found this out earlier in our investigation by running fsstat against the ipcase_ntfs.img file.

The quotient from this calculation corresponds to the cluster offset in the file system where the hit occurred. We feed this offset to the ifind command using the -d option, this gives us the MFT entry that points to that particular cluster. Next we pipe the MFT entries to the sort and uniq commands. The resulting unique MFT entries are passed as arguments to the icat command which recovers the data at the given MFT entry by writing it to a file of the same name. Finally, the file command is run against each newly created file and the results are printed to standard out. According to file all but one of the newly created files are jpeg images.

That's it. With very little practice you will be stringing together command line statements that will optimize the processing of forensic images. Give it a try, you'll be surprised at just how effective and efficient you can be with a little command line fu.

Dave Hull, GCFA Silver #3368, is an aspiring maker and technologist specializing in information security. He is the principal consultant and founder of Trusted Signal.

8 Comments

Posted November 12, 2008 at 11:46 AM | Permalink | Reply

johnmccash

You could also have used exiftool, available from http://www.sno.phy.queensu.ca/~phil/exiftool/

Posted November 12, 2008 at 12:10 PM | Permalink | Reply

trustedsignal

Yes, very good point. However, the principles applied in this article could just as easily be applied to recovering other types of files than just those containing exif data.
Thanks for the comment. I think all of us contributing to this site would love for it to take on a more conversational role. One of these days, I'm going to write up an entry with some of questions I've acquired over the years doing forensics work.

Posted November 12, 2008 at 5:30 PM | Permalink | Reply

vmforno

Hi, I'm just starting reading this blog and (at the same time) started the study of forensics science.
And I already have a question. What happen if someone has modified the MFT, and changed all the disk geometry? How can you recover the files?
Regards from Chile.

Posted November 12, 2008 at 8:26 PM | Permalink | Reply

trustedsignal

vmforno:
If you've got a hard drive image with a modified MFT, you can try using a backup copy of the MFT. Or breakout foremost and try to recover files based on the file headers. It's not foolproof, few things in forensics are, but in my experience it's pretty good.
I can also tell you that during my last four years of doing forensics work, I've never come across a case where a suspect modified their MFT as an antiforensics measure. I'm sure it happens, just not very often.

Posted November 13, 2008 at 11:30 AM | Permalink | Reply

vmforno

@trustedsignal:
I saw a lot of cases where the attacker modifies the MFT. Unsolved? Yes and No, it depends on the focus of the investigation.
Here is the solution: some of this attacks are just worms or viruses, because the affected machines are isolated from Internet and they was in manufacturing companies, I mean PCs that controls big machines. So, the operators of those PC machines were installing games or "funny stuff", and certainly no one else got access to this machines besides that the operators didn't have any "hack" skills.
As you said " .. it happens, just not very often".
But I was thinking if this happens in other environment, i.e a laptop of an executive or manager with connection to Internet (In this case is very uncommon you may have a backup of the MFT).
Well, this mental exercise is just for fun. I am not asking you to solve this '' my mind :)

Posted November 13, 2008 at 11:24 PM | Permalink | Reply

cyberdrone007

Hi trustedsignal,
First of all this is really good Fu! I have a question for you that has been running around my mind for sometime. Here goes .. when you do file carving session(I use scalpel) the meta information is not retrieved ! For example a carved jpeg file date and time of creation is the same as the carved out date and time but not the original. How can you recover this meta info? Thanks in advance

Posted November 14, 2008 at 6:40 PM | Permalink | Reply

trustedsignal

@vmforno:
In the case of no MFT, you can still do strings searches to locate evidence. And you can carve the files out to recover them using dcat, dd, a hex editor'' It's much more involved, obviously.
And as cyberdrone007 mentions, carving data like this may recover the files, but with no metadata. So timestamps, permissions and such are lost.
Unfortunately I don't have a good answer for recovering that metadata and this seems like a good area for research or for someone more knowledgeable to chime in.
If you know the block or cluster you're carving from, might it be possible to search the area of the disk where the MFT is normally found for a cluster list containing references to the clusters where you carved the data? At that point, would it be possible to locate other metadata for the carved file?

Posted November 16, 2008 at 7:14 PM | Permalink | Reply

craigswright

On top of this, research by
Sevinc Bayrama, Husrev T. Sencarb, and Nasir Memon has resulted in a paper, "Classification of digital camera-models based on demosaicing artifacts".
(Digital Investigation, DOI: 10.1016/j.diin.2008.06.004).
The algorithm used by the camera leaves a trace as to its make and model.