Using vboxmanage and some tools from SleuthKit



A key step in a forensic analysis is the creation of a timeline of the filesystem operations.
The operation can be performed using (for example) the fls tool from Sleuthkit, that exports the timeline in the bodyfile format:

Body file is a timeline format introduced by the SleuthKit.

Version 2 (used by SleuhtKit 2):

MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links | UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks

Version 3 (used by SleuhtKit 3 and later):

MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime

The times are reported in a POSIX (or UNIX) timestamp.

When this operation need to be performed against a virtualbox guest, some additional steps are required.

My own procedure consist of a conversion of VM disk into RAW format, the identifcation of the correct offset of the system partition and the creation of the bodyfile.

Let’s start to see this steps:

1. Clone the VBox disk into a RAW disk image

Using the vboxmanage command:

vboxmanage clonemedium <VMDISK> ./disk.raw --format=raw

2. Get the correct offset for system partition

Using mmls, part of SleuthKit:

# mmls disk.raw

DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000062   0000000063   Unallocated
002:  000:000   0000000063   0020948759   0020948697   NTFS / exFAT (0x07)
003:  -------   0020948760   0020971519   0000022760   Unallocated

3. Create bodyfile

Specifying correct offset (0000000063) of partition to fsl (another tool from SleuthKit):

fls -o 63 -r -m /$1.raw > disk.bodyfile

Is it scriptable?

Yes, with a quick-and-dirty bash trick to identify the largest partition on the disk:


[embed]https://gist.github.com/andreafortuna/69a075440037db9d0dcbb4c6f751d378[/embed]


References


[embed]https://www.virtualbox.org/manual/ch08.html[/embed]