[セキュ] The Sleuth Kit(MAC OS X で)

MAC　OS　XでThe Sleuth Kit。
個人的メモです。
抜けがあったら教えてください　ぇｗ
The Sleuth Kit(MAC)

http://www.sleuthkit.org/index.php

$ cd /Users/luffy/tool/sleuthkit-1.72
$ make

makeすると ./bin の中にコマンドできますー。

・ファイルシステム情報の表示(fsstat)
luffymac:~/test/dd luffy$ /Users/luffy/tool/sleuthkit-1.72/bin/fsstat -f ntfs e.dd
FILE SYSTEM INFORMATION





















































































-










































File System Type: NTFS
Volume Serial Number: 14D8AFD0D8AFAF04
OEM Name: NTFS
Volume Name: ?????
Version: Windows XP

METADATA INFORMATION





















































































-










































First Cluster of MFT: 8
First Cluster of MFT Mirror: 395592
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 265
Root Directory: 5

CONTENT INFORMATION





















































































-










































Sector Size: 512
Cluster Size: 2048
Total Cluster Range: 0 - 791184
Total Sector Range: 0 - 3164740

$AttrDef Attribute Values:
$STANDARD_INFORMATION (16)   Size: 48-72   Flags: Resident
$ATTRIBUTE_LIST (32)   Size: No Limit   Flags: Non-resident
$FILE_NAME (48)   Size: 68-578   Flags: Resident,Index
$OBJECT_ID (64)   Size: 0-256   Flags: Resident
$SECURITY_DESCRIPTOR (80)   Size: No Limit   Flags: Non-resident
$VOLUME_NAME (96)   Size: 2-256   Flags: Resident
$VOLUME_INFORMATION (112)   Size: 12-12   Flags: Resident
$DATA (128)   Size: No Limit   Flags:
$INDEX_ROOT (144)   Size: No Limit   Flags: Resident
$INDEX_ALLOCATION (160)   Size: No Limit   Flags: Non-resident
$BITMAP (176)   Size: No Limit   Flags: Non-resident
$REPARSE_POINT (192)   Size: 0-16384   Flags: Non-resident
$EA_INFORMATION (208)   Size: 8-8   Flags: Resident
$EA (224)   Size: 0-65536   Flags:
$LOGGED_UTILITY_STREAM (256)   Size: 0-65536   Flags: Non-resident


・イメージの中のファイル閲覧(fls)
   オプション
   　・-f [FileSystem]
     ・-r 再帰
     ・-d 削除ファイル
     ・-u 存在ファイルのみ
     ・-p フルパス

luffymac:~/test/dd luffy$ /Users/luffy/tool/sleuthkit-1.72/bin/fls -u -f ntfs e.dd
r/r 4-128-4:    $AttrDef
r/r 8-128-2:    $BadClus
r/r 8-128-1:    $BadClus:$Bad
r/r 6-128-1:    $Bitmap
r/r 7-128-1:    $Boot
d/d 11-144-4:   $Extend
r/r 2-128-1:    $LogFile
r/r 0-128-1:    $MFT
r/r 1-128-1:    $MFTMirr
r/r 9-128-8:    $Secure:$SDS
r/r 9-144-14:   $Secure:$SDH
r/r 9-144-11:   $Secure:$SII
r/r 10-128-1:   $UpCase
r/r 3-128-3:    $Volume
r/r 264-128-4:  debian-30r2-i386-binary-1.iso
r/r 265-128-4:  debian-update-3.0r2.01-i386.iso
d/d 79-144-1:   LIPS4
d/d 31-144-1:   RECYCLER
d/d 71-144-1:   System Volume Information
r/r 78-128-3:   w241040s.exe

　オプション -r 全部出てくる
luffymac:~/test/dd luffy$ /Users/luffy/tool/sleuthkit-1.72/bin/fls -r -f ntfs e.dd

・ファイル抽出
luffymac:~/test/dd luffy$ /Users/luffy/tool/sleuthkit-1.72/bin/icat -f ntfs e.dd 265-128-4 >> debian-update-3.0r2.01-i386.iso