HOWTO: index and search forensic disk images with dtSearch
If you primarily use Linux and The Sleuth Kit/Autopsy to perform forensic investigations, you will already know there are certain limitations to searching in TSK. The following is the approach I use to provide a more thorough search.
Overview of search strategy
In an effort to provide very thorough searches, my strategy combines indexing and bitwise (binary) searches. Indexing has the advantages of being very fast (after the index is built), the ability to understand file format and advanced searching such as fuzzy word searches (common/close spellings of words). However, relying solely on the file system can easily miss key fragments and simply will not work for unstructured data (i.e. memory images, pagefile, swap space, etc.). So, I also index raw data with a filtered binary algorithm.
Detailed steps for forensic searches
All of this “magic” is done using a combination of Linux, The Sleuth Kit and dtSearch Desktop. dtSearch is a commercial, yet affordable, searching software that runs primarily on Windows (they have a SDK for Linux but not the slick user interface). The following assume you have a dd image of a hard drive and can extract the file system. Also, I run dtSearch on Windows XP machine using VMWare Workstation. You can then allow the XP guest to access your Linux file system (read-only or read-write).
- Mount the file system read-only on the Linux workstation (be sure your non-root account has access). For an NTFS image, I issue the following:
mount -t ntfs -o ro,loop,show_sys_files,offset=32256,umask=222 /cases/case001/images/sda-img.dd /cases/fs-readonly/
- Extract the unallocated space from the image (using TSK or Autopsy)
- Run foremost (or scalpel) on the unallocated space to carve any files from it
- Extract the slack space from the image (i.e.
dls -s -f ntfs -o 63 -i raw /case/case001/images/sda-img.dd > /cases/case001/extracted-files/slack.dd
- Run foremost (or scalpel) on the slack space to carve any files from it
- Allow the dtSearch system read-only access to the mount file system and the extracted files (both the raw slack/unallocated and the foremost files)
Create an index in dtSearch (or multiple if you don’t want everything in one index). Allow dtSearch to index the following:
- read-only NTFS file system with access to all system files (very important to catch things like snapshots in System Volume Information)
- Raw slack file
- Directory with files carved from slack
- Raw unallocated file
- Directory with files carved from unallocated file
Start the index and get some coffee (or go to bed)
- When complete, search away. If you created multiple indexes, you can then search allocated and carved files and the raw binary file separately. dtSearch uses a “filtered binary” approach to raw files which has proven quite effective in my cases.
I’m sure there are many other ways to approach this problem. Also, I am not familiar with commercial tools however I believe FTK uses a “lite” version of dtSearch in their product. Please share your approach to this problem.