EC2 DFIR Workshop
Lab 7: Using ‘sorter’
GOAL:
Use the sorter command characterize the files from both allocated and unallocated space on the EVIDENCE volume
SUMMARY OF STEPS:
- Run the sorter command
- Explore the results
Step 1 – Run the sorter command
Run the sorter command in the background:
nohup sorter -s -f ext4 -d /mnt/data -x \
/cases/changed/known_files.md5 /dev/xvdf1 &
Switches
| s | Save the actual file content to sub-directories in the directory specified by '-d'. For example, all JPG and GIF files would actually be saved in the 'images' directory |
| d | Specify the location of where all files should be written. This includes the index files and subdirectories if the '-s' flag is given. |
| f | Specify the file system type of the image(s). |
| x | Specify the location a hash database with entries of known 'good' files. If any file is found with an MD5 hash value in this database, it will be ignored and not processed. |
VIDEO: Lab 8 Step 1 - Run the sorter command
Step 2 - Explore the results
This command uses the known_files hash list that was indexed previously and stores the output onto a new data volume that is at least the size of the EVIDENCE volume.
Browse the /mnt/data/ folder and look for anything interesting:
- The executable files that are new or modified relative to the AMI are in the \mnt\data\exec folder and are listed in exec.txt
- Checkout mismatch.txt
- Checkout text.txt
- Checkout unknown.txt
TIP: Try this grep "^\S*$" /mnt/data/exec.txt | less to examine exec.txt
VIDEO: Lab 8 Step 2 - Explore the results