The Sleuth Kit Framework  4.1
Extraction Phase and Populating the Database

Overview

As outlined on the main page, there are three phases to the framework:

This section of the document focuses on the first phase: extraction. It describes how to get disk image contents into a database for later analysis.

Database

The framework requires a database to store the results and file data. As described in Services Section, an instance of TskImgDB needs to be created. Refer to that section and the implementation class documents for more details.

File System Files

To get files from a disk image into the database, you will use an implementation of the TskImageFile interface. The framework comes with a Sleuth Kit-based implementation in TskImageFileTsk. Refer to the previous Services Section for details on creating one of them and finding an implementation.

After creating an instance of TskImageFile and calling one of the TskImageFile.open() methods, the TskImageFile.extractFiles() method is called. This will analyze the partitions and files in the image and add all of its results to the TskImgDB instance that was registered with TskServices.

Note that TskImageFile should be calling Scheduler with a TaskType.FileAnalysis task for each file that it extracts so that the file can be later analyzed.

Carving Files

The TskImageFile.extractFiles() method does not perform file carving. It only focuses on file system-level files. To carve, you need some additional classes.

Preparing for Carving

The CarvePrep interface focuses on getting data ready for carving. Specifically this step will create one or more "unallocated images" that will be later carved. The framework comes with the TskCarvePrepSectorConcat class that concatenates unallocated sectors together into chunks. This should serve most of your carving needs.

Regardless of the approach used to prepare for carving, the class should be calling Scheduler with a TaskType.Carve task for each unallocated image file that it creates that needs to be carved. The framework requires that each unallocated image file to be carved is assigned an ID. You can get one by calling TskImageDB.addUnallocImg().

TskImageDB has methods for storing information on what went into each unallocated image file. The TskImageDB.addAllocUnallocMapInfo() method maintains a table in the database so that a file carved from the unallocated image file can be mapped to its location in the original image file.

The framework does not impose any requirements on where the unallocated image files must be stored (or if they are stored at all). However, the later carving procedures must know how to find the unallocated image data based only on its ID.

Performing the Carve

Carving is done using an implementation of CarveExtract. This interface gets the unallocated image ID passed into it. It must know how to find the unallocated image file, which is dependent on the implementation of CarvePrep that was used.

The framework comes with TskCarveExtractScalpel, which is an implementation using Scalpel. Refer to its description for details on using it. You can use it as an example if you want to incorporate your own carving tool.

The CarveExtract class will analyze an unallocated image file when its CarveExtract.processFile() method is called. For each file that it finds, it must add the file to the database with TskImgDB.addCarvedFileInfo() and schedule it for analysis with Scheduler. TskImgDB.getUnallocRun() is used to map the location in the unallocated image to the original image.

Summary

Before the files can be analyzed, they must be added to TskImgDB. TskImgFile deals with the file system-based files and CarvePrep and CarveExtract deal with the carved files. After the files are in the database, they can be analyzed in a pipeline.


Copyright © 2011-2013 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.