[sleuthkit-developers] Sleuthkit -> database patch

[Dave <jg...@da...>]

Hi all,
Attached is a patch to sleuthkit to output sleuthkit filesystem data as
SQL statements for entry into a database.

Background:
Sleuthkit fstools output are not easily machine-readable, and as such
not well suited for use by front-end gui applications. A better approach
is to analyse the filesystem in one pass and store all the filesystem
data (about files, inodes, blocks etc) in a database system for the gui
analysis program to query at will.

Solution:
The attached patch creates a new executable (dbtool) which basically
performs the same tasks as fsstat, fls (with -r) and istat(for each
inode). For those familiar with the code, it loads an image, prints the
data found in FS_INFO, performs a "dent_walk", then performs an
"inode_walk" and for each inode performs a "file_walk". At each stage
the callback prints SQL statements which populate a database.

Once the program is run, the database contains all the data about the
filesystem and SQL queries can then be constructed by the frontend
program to perform tasks such as timelining etc.

The patch consists of two new files, dbtool.c and Makefile.dbtool, and a
very small patch to fatfs_dent.c to make it print long directory names
rather than short ones. dbtool can be compiled as follows:

cd sleuthkit-1.67
patch -p1 < ../sleuthkit-dbtool
make
cd src/fstools
make -f Makefile.dbtool

An example of dbtool usage and output is also attached.

I have also created a python module for accessing the data stored in the
database which provides a "file-like" interface to perform 'open',
'read' and 'seek' operations on files within the dd image. This is how
our forensics application (flag) accesses the data in the database. I
can post this if anyone is interested. There will be a new release of
"flag" in the very near future which incorporates this work.

I welcome your comments and suggestions,
Thanks,
David Collett