Phase 3: System & Disk Forensics
Phase 3: System & Disk Forensics
CLI equivalents of EnCase, FTK, and commercial forensic suites. The Sleuth Kit (TSK) provides the same forensic primitives — disk imaging, file system analysis, timeline reconstruction, deleted file recovery — entirely from the terminal.
Forensic Imaging
# Bit-for-bit disk image with progress and hashing
dc3dd if=/dev/sda of=evidence.dd hash=sha256 log=imaging.log
# Create E01 (EnCase format) image
ewfacquire /dev/sda -t evidence -C "Case 2026-001" -D "Subject laptop SSD" -e "Examiner" -E "Case notes"
# Verify E01 integrity
ewfverify evidence.E01
# Inspect E01 metadata
ewfinfo evidence.E01
# Mount E01 as read-only for analysis
ewfmount evidence.E01 /mnt/evidencePartition & Filesystem Analysis
# List partitions in image
mmls evidence.dd
# Filesystem details (type, block size, inode count)
fsstat -o 2048 evidence.dd
# Volume system info
img_stat evidence.ddFile Listing & Recovery
# List all files (including deleted — marked with *)
fls -r -o 2048 evidence.dd
# List deleted files only
fls -r -d -o 2048 evidence.dd
# Extract file by inode
icat -o 2048 evidence.dd 12345 > recovered_file.pdf
# Inode details (timestamps, size, block pointers)
istat -o 2048 evidence.dd 12345
# Extract raw data blocks
blkcat -o 2048 evidence.dd 500 > raw_block.binTimeline Analysis
This is the killer feature — what EnCase charges thousands for.
# Step 1: Generate body file (TSK mactime format)
fls -r -m "/" -o 2048 evidence.dd > body.txt
# Step 2: Create human-readable timeline
mactime -b body.txt -d > timeline.csv
# Step 3: Filter timeline to date range of interest
mactime -b body.txt 2026-03-01..2026-03-15
# Step 4: Analyze with awk — find files modified during incident window
awk -F'|' '$2 >= "2026-03-10" && $2 <= "2026-03-12" {print $2, $NF}' timeline.csv
# Combine with file type analysis
mactime -b body.txt 2026-03-01..2026-03-15 | awk '/\.exe|\.dll|\.ps1/{print}'File Carving (Deleted File Recovery)
# PhotoRec — interactive carving from disk/image
photorec evidence.dd
# Foremost — header/footer based carving
foremost -t pdf,jpg,png,doc -i evidence.dd -o /output/carved/
# Scalpel — configurable carving (edit scalpel.conf for custom signatures)
scalpel -c /etc/scalpel/scalpel.conf -o /output/carved/ evidence.dd
# Bulk extractor — extract artifacts (emails, URLs, credit cards, GPS)
bulk_extractor -o /output/bulk/ evidence.ddHash Analysis
# Generate hash set for known files
find /path -type f -exec sha256sum {} \; > known_hashes.txt
# Compare against NSRL (National Software Reference Library)
hfind -i nsrl-sha1 /path/to/nsrl/NSRLFile.txt <hash>
# Recursive integrity check
hashdeep -r -c sha256 /evidence/ > baseline.txt
hashdeep -r -c sha256 -a -k baseline.txt /evidence/ # audit mode
# Find files matching known-bad hashes
while read hash file; do
grep -q "$hash" known_bad.txt && echo "MATCH: $file"
done < evidence_hashes.txtSignature Search
# Find JPEG signatures in raw disk
sigfind -b 512 0xFFD8FFE0 evidence.dd
# Sort files by category using TSK sorter
sorter -d /output/sorted/ -o 2048 evidence.dd
# String extraction from binary/disk
strings -a -n 8 evidence.dd | grep -i "password\|secret\|key"
# Hex analysis of specific offset
xxd -s 0x1000 -l 512 evidence.ddEnCase Feature Mapping
| EnCase Feature | CLI Equivalent | Notes |
|---|---|---|
Acquire Evidence |
|
E01 format supported via libewf |
Evidence Processor |
|
Parallel with |
File System Browser |
|
Pipe to |
Timeline |
|
CSV output — grep, awk, sort |
Deleted File Recovery |
|
More precise than EnCase point-and-click |
File Carving |
|
Configurable signatures |
Hash Analysis |
|
Same database, CLI access |
Keyword Search |
|
|
Bookmarks / Tags |
filesystem + notes |
Use directory structure + metadata files |
Reporting |
|
Generate from pipeline output |