Sophie

Sophie

distrib > Mandriva > 9.1 > ppc > media > contrib > by-pkgid > 5e1cf60a1e92dccc53ea673ff3e4aa07 > files > 19

task-1.52-2mdk.ppc.rpm

                   The @stake Sleuth Kit (TASK)
            www.atstake.com/research/tools/index.html


               Brian Carrier [carrier@atstake.com]



INTRODUCTION
=============================================================================
The @stake Sleuth Kit (TASK) is an open source forensic toolkit for
analyzing Microsoft and UNIX file systems.  TASK enables investigators
to identify and recover evidence from images acquired during incident
response or from live systems.  TASK is open source, which allows
investigators to verify the actions of the tool or customize it to
specific needs.

The @stake Sleuth Kit (TASK) integrates the file system analysis tools
of The Coroner's Toolkit (TCT), by Wietse Venema and Dan Farmer, with
TCTUTILs and adds new features.  Major new features include platform
independence and support for the NTFS (see docs/ntfs.README), FAT (see
docs/fat.README), and Palm (coming soon) file systems.  Refer to the
CHANGES.FROM.TCT file for specific differences.

It is highly recommended that these command line tools can be used
with the 1.60 version of the Autopsy Forensic Browser.  Autopsy,
(http://www.atstake.com/research/tools/index.html), is a graphical
interface to the tools of TASK and automates many of the procedures and
provides features such as image searching and MD5 image integrity checks.

As with any investigation tool, any results found with TASK should
be be recreated with a second tool to verify the data.



OVERVIEW
=============================================================================
TASK allows one to analyze a file system image created by 'dd', or a
similar application.  This image must be of the partition only (not
the full disk) and must not have any embedded checksum values.

These tools are low-level and each performs a single task.  When
used together, they can perform a full analysis.  For a more detailed
description of these tools, refer to docs/filesystem.README.  The
tools are briefly described in a file system layered approach.  Each
tool name begins with a letter that is assigned to the layer.  Some 
names have changed from their use in TCT and TCTUTILs.  


File System Layer:
A disk contains one or more partitions (or slices).  Each of these
partitions contain a file system.  Examples of file systems include
the Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS),
File Allocation Table (FAT), and New Technologies File System (NTFS).

The fsstat tool (new in TASK) displays file system details in an ASCII
format.  Examples of data in this display include volume name, last
mounting time, and the details about each "group" in UNIX file systems.  


Content Layer (data):
The content layer of a file system contains the actual file content,
or data.  Data is stored in large chunks, with names such as blocks,
fragments, and clusters.  All tools in this layer begin with the letter
'd'.  

The dcat (bcat in TCTUTILs) tool can be used to display the contents of
a specific unit of the file system (similar to what 'dd' can do with a
few arguments).  The unit size is file system dependent.  The 'dls' (unrm
in TCT) tool displays the contents of all unallocated units of a file
system, resulting in a stream of bytes of deleted content.  The output
can be searched for deleted file content.  The 'dcalc' (TCTUTILs) program
allows one to identify the unit location in the original image of a unit
in the 'dls' generated image.   

A new feature of TASK is the '-l' argument to 'dls'.  This argument lists
the details for data units, similar to the 'ils' command.  The 'dstat'
tool (new to TASK) displays the statistics of a specific data unit
(including allocation status and group number).


Meta Data Layer (inode):
The meta data layer describes a file or directory.  This layer contains
descriptive data such as dates and size as well as the addresses of the
data units.  This layer describes the file in terms that the computer
can process efficiently.   The structures that the data is stored in
have names such as inode and directory entry.  All tools in this layer
begin with an 'i'.  

The ils (TCT) program lists some values of the meta data structures.
By default, it will only list the unallocated ones.  The istat (TCTUTILs)
displays meta data information in an ASCII format about a specific
structure.  New to TASK is that 'istat' will display the destination of
symbolic links.  The icat (TCT) function displays the contents of
the data units allocated to the meta data structure (similar to
the UNIX cat(1) command).  The ifind (find_inode in TCTUTILs) tool
will identify which meta data structure has allocated a given content
unit.

Refer to the ntfs.README doc for information on addressing meta data
attributes in NTFS.


Human Interface Layer (file):
The human interface layer allows one to interact with files in a
manner that is more convenient than directly with the meta data
layer.  In some operating systems there are separate structures for
the meta data and human interface layers while others combine them.
All tools in this layer begin with the letter 'f'.  

The fls (TCTUTILs) program lists file and directory names.  This
tool will display the names of deleted files as well.  The ffind
(find_file in TCTUTILs) program will identify the name of the file
that has allocated a given meta data structure.  With some file
systems, deleted files will be identified.  


Time Line Generation
-----------------------------------------------------------------------------
Time lines are useful to quickly get a picture of file activity.  Using
TASK a time line of file MAC times can be easily made.  The mactime (TCT)
program takes as input the 'body' file that was generated by fls and ils.
To get data on allocated and unallocated file names, use 'fls -rm dir'
and for unallocated inodes use 'ils -m'.  Note that the behavior of these
tools are different than in TCT and TCTUTILs.  For more information,
refer to docs/mac.README.



Other
-----------------------------------------------------------------------------
Also included in TASK are the file and and md5 programs that were included
in TCT.  The sha1 program has also been added so that lookups can be
performed in the NIST Software Reference Library.  


LICENSE
=============================================================================
The file system tools (in the src/fstools directory) are released under
the IBM open source license, located in the "LICENSE" file.  'mactime'
is released under the GNU Public License.  Other tools in the src 
directory have additional Licenses.  


INSTALL
=============================================================================
For installation instructions, refer to the INSTALL document.


OTHER DOCS
=============================================================================
The 'docs' directory contains documents that describe the provided tools
in more detail.  The 'tct.docs' directory contains some of the original
documents from The Coroner's Toolkit (TCT).


MAILING LIST
=============================================================================
Mailing lists exist on SourceForge, for both users and a low-volume
announcements list.
	
    http://sourceforge.net/mail/?group_id=55685

There is also a TCT mailing list on porcupine.org. To subscribe, send mail
to majordomo@porcupine.org with a message body of: subscribe tct-users


-----------------------------------------------------------------------------
July 17, 2002
Brian Carrier

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional