The @stake Sleuth Kit (TASK) www.atstake.com/research/tools/index.html Brian Carrier [carrier@atstake.com] INTRODUCTION ============================================================================= The @stake Sleuth Kit (TASK) is an open source forensic toolkit for analyzing Microsoft and UNIX file systems. TASK enables investigators to identify and recover evidence from images acquired during incident response or from live systems. TASK is open source, which allows investigators to verify the actions of the tool or customize it to specific needs. The @stake Sleuth Kit (TASK) integrates the file system analysis tools of The Coroner's Toolkit (TCT), by Wietse Venema and Dan Farmer, with TCTUTILs and adds new features. Major new features include platform independence and support for the NTFS (see docs/ntfs.README), FAT (see docs/fat.README), and Palm (coming soon) file systems. Refer to the CHANGES.FROM.TCT file for specific differences. It is highly recommended that these command line tools can be used with the 1.60 version of the Autopsy Forensic Browser. Autopsy, (http://www.atstake.com/research/tools/index.html), is a graphical interface to the tools of TASK and automates many of the procedures and provides features such as image searching and MD5 image integrity checks. As with any investigation tool, any results found with TASK should be be recreated with a second tool to verify the data. OVERVIEW ============================================================================= TASK allows one to analyze a file system image created by 'dd', or a similar application. This image must be of the partition only (not the full disk) and must not have any embedded checksum values. These tools are low-level and each performs a single task. When used together, they can perform a full analysis. For a more detailed description of these tools, refer to docs/filesystem.README. The tools are briefly described in a file system layered approach. Each tool name begins with a letter that is assigned to the layer. Some names have changed from their use in TCT and TCTUTILs. File System Layer: A disk contains one or more partitions (or slices). Each of these partitions contain a file system. Examples of file systems include the Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS), File Allocation Table (FAT), and New Technologies File System (NTFS). The fsstat tool (new in TASK) displays file system details in an ASCII format. Examples of data in this display include volume name, last mounting time, and the details about each "group" in UNIX file systems. Content Layer (data): The content layer of a file system contains the actual file content, or data. Data is stored in large chunks, with names such as blocks, fragments, and clusters. All tools in this layer begin with the letter 'd'. The dcat (bcat in TCTUTILs) tool can be used to display the contents of a specific unit of the file system (similar to what 'dd' can do with a few arguments). The unit size is file system dependent. The 'dls' (unrm in TCT) tool displays the contents of all unallocated units of a file system, resulting in a stream of bytes of deleted content. The output can be searched for deleted file content. The 'dcalc' (TCTUTILs) program allows one to identify the unit location in the original image of a unit in the 'dls' generated image. A new feature of TASK is the '-l' argument to 'dls'. This argument lists the details for data units, similar to the 'ils' command. The 'dstat' tool (new to TASK) displays the statistics of a specific data unit (including allocation status and group number). Meta Data Layer (inode): The meta data layer describes a file or directory. This layer contains descriptive data such as dates and size as well as the addresses of the data units. This layer describes the file in terms that the computer can process efficiently. The structures that the data is stored in have names such as inode and directory entry. All tools in this layer begin with an 'i'. The ils (TCT) program lists some values of the meta data structures. By default, it will only list the unallocated ones. The istat (TCTUTILs) displays meta data information in an ASCII format about a specific structure. New to TASK is that 'istat' will display the destination of symbolic links. The icat (TCT) function displays the contents of the data units allocated to the meta data structure (similar to the UNIX cat(1) command). The ifind (find_inode in TCTUTILs) tool will identify which meta data structure has allocated a given content unit. Refer to the ntfs.README doc for information on addressing meta data attributes in NTFS. Human Interface Layer (file): The human interface layer allows one to interact with files in a manner that is more convenient than directly with the meta data layer. In some operating systems there are separate structures for the meta data and human interface layers while others combine them. All tools in this layer begin with the letter 'f'. The fls (TCTUTILs) program lists file and directory names. This tool will display the names of deleted files as well. The ffind (find_file in TCTUTILs) program will identify the name of the file that has allocated a given meta data structure. With some file systems, deleted files will be identified. Time Line Generation ----------------------------------------------------------------------------- Time lines are useful to quickly get a picture of file activity. Using TASK a time line of file MAC times can be easily made. The mactime (TCT) program takes as input the 'body' file that was generated by fls and ils. To get data on allocated and unallocated file names, use 'fls -rm dir' and for unallocated inodes use 'ils -m'. Note that the behavior of these tools are different than in TCT and TCTUTILs. For more information, refer to docs/mac.README. Other ----------------------------------------------------------------------------- Also included in TASK are the file and and md5 programs that were included in TCT. The sha1 program has also been added so that lookups can be performed in the NIST Software Reference Library. LICENSE ============================================================================= The file system tools (in the src/fstools directory) are released under the IBM open source license, located in the "LICENSE" file. 'mactime' is released under the GNU Public License. Other tools in the src directory have additional Licenses. INSTALL ============================================================================= For installation instructions, refer to the INSTALL document. OTHER DOCS ============================================================================= The 'docs' directory contains documents that describe the provided tools in more detail. The 'tct.docs' directory contains some of the original documents from The Coroner's Toolkit (TCT). MAILING LIST ============================================================================= Mailing lists exist on SourceForge, for both users and a low-volume announcements list. http://sourceforge.net/mail/?group_id=55685 There is also a TCT mailing list on porcupine.org. To subscribe, send mail to majordomo@porcupine.org with a message body of: subscribe tct-users ----------------------------------------------------------------------------- July 17, 2002 Brian Carrier