How to do it...

Open Windows Command Prompt and change the directory to bin (you can find it in the folder where you unpacked the archive you downloaded). Let's start from the Media Management Layer Tools:

1. The first thing you should do is to figure out which system volume type you have. Of course, there is a tool for this in The Sleuth Kit. It's called mmstat. Let's use it on one of the images we acquired in the previous recipes:

mmstat X:146-2017.E01

1. We now know the system volume type and are ready to use the next tool mmls. This tool can help an examiner to determine the layout of a disk, including the unallocated space. Let's use it:

mmls -t dos X:146-2017.E01

The output of the preceding command is as follows:

As you can see, we have gathered a lot of valuable information about our disk (as you remember, we imaged a drive in the previous recipes). Now you know the starting sectors, ending sectors, and lengths of all partitions and unallocated spaces.

1. Let's change to File System Layer Tools. To learn more about each of the partitions, we have the fsstat tool. To use it, we need the partition offset. You can get it from the mmls output. Let's learn more about the largest partition we have, which starts at sector 1435658:

fsstat -o 1435648 X:146-2017.E01

The output of the preceding command is as follows:

As you can see in the preceding figure, fsstat collects lots of useful information about a partition: Volume Serial Number, Cluster Size, First Cluster of MFT, First Cluster of MFT mirror, and so on.

1. Let's now look at FileName Layer Tools. For example, the fls tool allows examiners to list allocated and deleted file names in a directory. Again, we need the partition offset to use this tool:

fls -o 1435648 X:146-2017.E01

The output for the preceding command is as follows:

1. Let's go further and create a bodyfile with fls. It's truly an amazing feature that helps Windows forensic examiners to create timelines of file activity. Here is how we create it:

fls -r -m "/" -o 1435648 X:146-2017.E01 > bodyfile.txt

The output for the preceding command is as follows:

As you can see, we added two switches in the command: -r and -m. The first one tells fls to recurse the directory entries. The second tells it to use mactime input format with / as the mount point.

1. We now have the body file, so we are ready to run mactime and create a timeline of file activity. Such timelines are very useful in Windows forensic examinations, especially in cases involving malware incidents. Here is how to create it:

mactime.pl -b bodyfile.txt -d > timeline.csv

Again, in the last command we have two switches which need to be explained. The first one, -b, points to the bodyfile for mactime to use. The second, -d, stands for delimited output and means we can save it as a CSV file and use Microsoft Excel or OpenOffice Spreadsheets to work with it later (see the figure above). Also, if you want to specify the time zone, you can use the -z switch.