- Notifications
You must be signed in to change notification settings - Fork3
The UBI Forensic Toolkit (UBIFT) is a Python command-line interface tool that aims to provide various functionalities to assist an IT forensic evaluation of the UBIFS file system.
License
matthias-deu/ubift
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
The UBI Forensic Toolkit (UBIFT) is a Python command-line interface tool that aims to provide various functionalities to assist an IT-forensic evaluation of the UBIFS file system. It is based on the concepts ofThe Sleuth Kit by Brian Carrier.As such, UBIFT aims to fulfil the requirements for forensic tools set by Brian Carrier in his paperDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers.Furthermore, UBIFT makes use of Carrier's idea of a layered approach for forensics tools that is also described in his paper.
A notable feature of UBIFT is the ability to recover deleted data. Most commands can be used in conjunction with a--deleted parameter, causing UBIFT to look for deleted content. For instance, all deleted directory entries may be retrieved with the following command:
python ./ubift.pyfls/path/to/your_flash_dump.bin-o0-ndata--deletedTypeInodeParentNamefile0105secret.txtdir0104secret_folderfile0107secret_image1.jpgfile0107secret_image4.jpg
In order to recover all files (including deleted files), use the following command:
python ./ubift.pyubift_recover/path/to/your_flash_dump.bin--output/path/to/output--deleted
UBIFT uses a similar syntax asThe Sleuth Kit. Every command has a prefix and a suffix. The prefix, such asmtd refers to the layer it is operating on. The suffix, such asls depicts the desired operation to be performed.
UBIFT supports the following commands:
| Command | Description |
|---|---|
| mtdls | Lists information about all available Partitions, including UBI instances. UBI instances have the description 'UBI'. |
| mtdcat | Outputs the binary data of an MTD partition, given by its index. Use 'mtdls' to see all indeces. |
| pebcat | Outputs a specific phyiscal erase block. |
| ubils | Lists all instances of UBI and their volumes. |
| ubicat | Outputs contents of a specific UBI volume to stdout. |
| lebls | Lists all mapped LEBs of a specific UBI volume. |
| lebcat | Outputs a specific mapped logical erase block of a specified UBI volume. |
| fsstat | Outputs information regarding the UBIFS file-system within a specific UBI volume. |
| fls | Outputs information regarding file names in an UBIFS instance within a specific UBI volume. |
| istat | Displays information about a specific inode in an UBIFS instance. |
| icat | Outputs the data of an inode. |
| ils | Lists all inodes of a given UBIFS instance. |
| ffind | Outputs directory entries associated with a given inode number. |
| ubift_recover | Extracts all files found in UBIFS instances. Creates one directory for each UBI volume with UBIFS. |
| ubift_info | Outputs information regarding recoverability of deleted inodes. This parameter takes priority over all other parameters. |
| jls | Lists all nodes within the journal. |
For a detailed description of every command, refer to the--help of the tool.
UBIFT can be integrated with Autopsy by using the Python ingest module found at/ubift/autopsy/ubift_autopsy.py
An installation guide about the installation of Python modules can be foundhere
IMPORTANT: The module requires UBIFT to be available in the same directory as the Python ingest module. Therefore UBIFT has to be packed and provided viapyInstaller to the same directory as the module
Contains the original version described in the master's thesis. The original version contains some differences that were changed in later versions. For instance, instead of specifying offsets and ubi volumes as follows:
python .\ubift.pyfls'D:\flash_dump.bin'-o123-ndata
The parameters were positional arguments, resulting in a loss of flexibility.
python .\ubift.pyfls'D:\flash_dump.bin'123data
cstruct~=5.2
setuptools~=60.2.0
crcmod~=1.7
zstandard~=0.21.0
python-lzo>=1.11
pathvalidate
Matthias Deutschmann (matthias_de@gmx.net)
About
The UBI Forensic Toolkit (UBIFT) is a Python command-line interface tool that aims to provide various functionalities to assist an IT forensic evaluation of the UBIFS file system.