fls, e01, and Timelines…oh my!

14Apr11

Well I’m back once again….

I’m trying to plan out posting entries every month or two (probably closer to every two as some people will tell you :p).  But I wanted to at least get an update out from my last/first post.

First off, Rob Lee was kind enough to point out that one of the steps in my process:

losetup –o32256 –r /dev/loop0 /mnt/ewf/foobar_image

isn’t really needed.  You can skip this step and just use the mount command with the bytes offset option instead:

mount /mnt/ewf/foobar_image /mnt/windows_mount –o loop,ro,show_sys_files,offset=32256

I’m not sure why I used the losetup the first time I ever did this (aside from reading it originally on Stephen Venter’s Blog post), but I have removed that part from my process since then and it works fine.  Thanks for that info Rob!

Now, there was one part of Rob’s SuperTimeline process that I was never able to figure out how to do with an e01 image.  Specifically using fls on it.  What I would do in the past is takethe e01 image and load it into FTK imager and create a DD image from it.  Then I would run fls against the DD image.  But that’s a lot more time then I want to spend for only one part of my timeline creation process, AND it means I now have one more copy of my image.  So I did a bit more reading on the man page for fls and discovered the -i option:

(from sleuthkit.org)

-i imgtype -> Identify the type of image file, such as raw or split. Use ’-i list’ to list the supported types. If not given, autodetection methods are used.

So of course I did a fls -i list and discovered there is a ewf option you can pass to the -i switch!

Which lead me to this:

fls -r -i ewf -o (offset to start of partition, ex 63) -m c: /path/to/e01/segments.e* >> /export/path/to/bodyfile

and voila!  I get fls output against my e01 image.  Note that you have to point this command to the e01 segment files, NOT the image that you mounted.

And now, I can do Rob Lee’s SuperTimeline the E01 way!  If anyone is interested in a post about all the steps I go through with an E01 image to create my timelines, leave a comment below.  I’ll be happy to make a post on that as well (but I’ll warn you it pretty much steps through Rob’s method).

About these ads


4 Responses to “fls, e01, and Timelines…oh my!”

  1. 1 Rob Dewhirst

    If you are like me and reading this and wondering why your TSK tools don’t list any supported formats except raw and split, you need to rebuild TSK with an up-to-date version of libewf. I am sure works just fine in SIFT but if your using a system you built yourself you may run into this.

    I sort of have a question about your STL creation process since you asked. Inevitably you will have to mount the partition from the .e01 file to run things like regtime, right? So what does running fls on the e01 save you versus running it against the mounted partition?

    I had been doing this by running mount_ewf, mmls on the “mounted” raw image file to get the offset, mount the partition, then fls, etc.

    • Hi Rob,
      Thanks for the feedback and passing on that info. Yes you ned to have your TSK tools updated to take advantage of some of the options I mentioned. I was actually checking something on my Mac with fls for this post and I only had two options for the -i switch.

      In regards to why I’m running it against the E01 versus the mounted image, it’s only because when I tried to run fls against the mounted image it wouldn’t work for me. With DD images it works that way, but I couldn’t repeat it with my E01 images. Once I pointed it to the original image files it worked fine.

      If you have a way to run it against the mounted E01 image I’d love to see the command line to do it!

      Thanks again!

  2. 3 Aniket

    Great Post. I have been trying to do exactly like this since a while. What I was trying to do is, make use of splunk to read the output of log2timeline. There isan excellent post by Nick at the following linK:
    http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking

    While extracting file system timestamps, i am having trouble in E01 image. After i saw your post, it is much clear that with the help of ‘ewf’ command, this can be done.

    After i run the command below:

    fls -m “” -r -i ewf -o offset nps-2008-jean.E01 > fls.body

    I get the following error:
    Invalid image offset (tsk_parse: invalid image offset: offset)

    I am definitely screwing something up on the offset of which i don’ think i am clear. =(
    ———————————————————

    Also you mentioned If anyone is interested in a post about all the steps I go through with an E01 image to create my timelines…I am definitely interested :)
    Please let me know if you have already posted something on those lines or will be posting in near future.

    Thanks a lot!

    • Thank you for the kind words…I’ve been a bit behind in my blogging. :)

      To answer your question, the error looks like it’s in the -o command:

      fls -m “” -r -i ewf -o offset nps-2008-jean.E01 > fls.body

      It should be something like -o 63 or -o 2048, etc. The error is basically saying that it can’t find the start of the partition.

      In terms of using splunk, I’ve tried to do that actually. A friend gave me access to Splunkstorm to try out. I played with it a bit, but it doesn’t really display the data in a workable manner (for me at least).

      David Nides is currently working on a viewer tool, that I’ve been testing, that works great for me. He’ll actually be discussing it tomorrow evening at the monthly DFIROnline presentation:

      http://www.writeblocked.org/index.php/dfironline.html

      and you can follow along on his progress at:

      http://davnads.blogspot.com/

      Finally I do need to get around to posting the actual steps I go through. My timeline creation process has changed dramatically since I wrote this post. I’m not using the TSK tools to generate the timeline, just to mount the E01 image and get it ready for log2timeline to parse through.

      So the basic steps are:

      1) ewfmount /path/to/E01 /mount/point1
      (NOTE: You have to have one of the newer versions of libewf for ewfmount to work)

      2) mmls -t dos /mount/point1
      (again this is to get the partition information)

      3) mount -o ro,loop,show_sys_files,streams_interface=windows,offset= /mount/point1/rawfile /mount/point2
      (the offset in this case will either be something like 32256 or 1048576 (which is 512*63 or 512*2048 respectively))

      Then I do a ls -l /mount/point2 to make sure I see a file structure, and after that run log2timeline against it.

      Good luck!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: