other versions
- wheezy 3.2.3-2
- wheezy-backports 4.1.3-3~bpo70+1
- jessie 4.1.3-4
- testing 4.4.0-5
- unstable 4.4.0-5
SORTER(1) | General Commands Manual | SORTER(1) |
NAME¶
sorter - Sort files in an image into categories based on file typeSYNOPSIS¶
[-b size ] [-e] [-E] [-h] [-l] [-md5] [-s] [-sha1] [-U] [-v] [-V] [-a hash_alert ] [-c config ] [-C config ] [-d dir ] [-m mnt ] [-n nsrl_db ] [-x hash_exclude ] [-i imgtype] [-o imgoffset] [-f fstype] image [image] [meta_addr]DESCRIPTION¶
sorter is a Perl script that analyzes a file system to organize the allocated and unallocated files by file type. It runs the 'file' command on each file and organizes the files according to the rules in configuration files. Extension mismatching is also done to identify 'hidden' files. One can also provide hash databases for files that are known to be good and can be ignored and files that are known to be bad and should be alerted.ARGUMENTS¶
The required arguments are as follows. This will analyze one or more images and either save the results in the '-d' directory or list the results to STDOUT (if '-l' is given).- -d dir
- Specify the location of where all files should be written. This includes the index files and subdirectories if the '-s' flag is given. This MUST be given, unless the '-l' list flag is given.
- -l
- List information to STDOUT (no files are ever written). This is useful for Incident Response, with the use of 'netcat'. This cannot be used if '-d' is used.
- image [images]
- The disk or partition image to read, whose format is given
with '-i'. Multiple image file names can be given if the image is split
into multiple segments. If only one image file is given, and its name is
the first in a sequence (e.g., as indicated by ending in '.001'),
subsequent image segments will be included automatically.
- -f fstype
- Specify the file system type of the image(s). This is the
same type that The Sleuth Kit uses.
- -i imgtype
- Specify the image type in which the file system is located.
This is the same type that The Sleuth Kit uses.
- -o imgoffset
- Specify the sector offset from the beginning of the image
to the start of the file system.
- -b size
- Specify the minimum size of file to process. All files less
than this size will be ignored.
- -c config
- Specify the location of an additional configuration file. This file will be loaded in addition to the standard ones in the install directory. These settings will have priority over the standard files.
- -C config
- Specify the location of the ONLY configuration file. The standard config files will not be loaded if this option is given. For example, in the ´share/sort´ directory there is a file called 'images.sort'. This file contains only rules about graphic images. If it is specified with -C, then only images will be saved about the image.
- -m mnt
- Specify the mounting point of the image being analyzed. This is only for cosmetic reasons. When the entries in the output files are written, the files will have a the full path instead of just the relative path. If this is given, then only one image can be given.
- -a hash_alert
- Specify the location a hash database with entries of known 'bad' files. If any file is found with an MD5 hash value in this database, it will be placed in a special alert file. This database must have been indexed for MD5 using 'hfind' in The Sleuth Kit before it is used by sorter.
- -n nsrl_db
- Specify the location of the NIST National Software Reference Library (NSRL) database (www.nsrl.nist.org). Any file found in the NSRL will be ignored and not placed into a category. The database must be indexed for MD5 with 'hfind' in The Sleuth Kit before it is used by sorter. The database file is currently called 'NSRLFile.txt'.
- -x hash_exclude
- Specify the location a hash database with entries of known 'good' files. If any file is found with an MD5 hash value in this database, it will be ignored and not processed or saved to the category files. This database must have been indexed for MD5 using 'hfind' in The Sleuth Kit before it is used by sorter.
- -e
- Perform extension mismatch checks on (no category index files are generated)
- -U
- Do no save data about unknown file types. By default, an 'unknown' file is created for files where the 'file' output is not known. This allows one to refine their configuration. If this is not desired, use this flag.
- -h
- Create category files in HTML
- -md5
- Calculate the MD5 value for each file and save it in the category file. This will be done automatically when any of the databases are given.
- -sha1
- Calculate the SHA-1 value for each file and save it in the category file.
- -s
- Save the actual file content to sub-directories in the directory specified by '-d'. For example, all JPG and GIF files would actually be saved in the 'images' directory. If '-h' is also given, thumbnails of graphic images are also created.
- -v
- Display verbose information
- -V
- Display version.
- [meta_addr]
- The meta data address of the directory to start with. By
default, the root directory is used. If this is given, then only one image
can be given.
HIGH-LEVEL OVERVIEW OF PROCESS¶
sorter is a Perl script that interacts with other The Sleuth Kit tools. It starts by reading the configuration files from the installation directory. There is a general configuration file and a specific one for each operating system. The specific one is determined from the '-f' flag. Each configuration file contains rules for processing the output of the 'file' command. One type of line identifies which category (i.e. 'images') a given 'file' output belongs to (i.e. ´image data´) (using regular expressions). Another rule shows the file extensions (i.e. .txt) that belong to a 'file' output (i.e. ASCII(.*?)text). See the Rules section below.CONFIGURATION FILES¶
Configuration files are used to define what file types belong in which categories and what extensions belong to what file types. Configuration files are distributed with the 'sorter' tool and are located in the installation directory in the 'share/sorter' directory.category images image data
category text ASCII(.*?)text
category data ^data?
ext txt,log ASCII(.*?)text
ext c,cpp,h,js ASCII(.*?)text
EXAMPLES¶
To run sorter with no hash databases, the following can be used:# sorter -f ntfs -d data/sorter images/hda1.dd
# sorter -d data/sorter images/hda1.dd
# sorter -i raw -f ntfs -o 63 -d data/sorter images/hda.dd
# sorter -f ntfs -d data/sorter -a /usr/hash/rootkit.db -x /usr/hash/win2k.db -n /usr/hash/nsrl/NSRLFile.txt images/hda1.dd
# sorter -f ntfs -C /usr/local/sleuthkit/share/sort/images.sort -d data/sorter -h -s images/hda1.dd