Windows Forensics stat command Lab

In this lab we introduce you to the stat command, a command line utility that displays status information about files and file systems.  We discuss stat command basics and how to master this utility for analysis. You’ll learn how to launch stat, which stat command line switches provide what information, what functions and variable are available for analyzing a file vs. a file system, and why you would need to conduct analysis using the stat command tool. [toggle_content title="Transcript"] Hello, Leo Dregier here. I want to talk to you about the stat command. So let's just do a little overview of it. Um, a lot of people were rusty on their Linux skills, so what I want to do is come just cover the basics of kind of how do you learn, how do you refresh, how do you keep up to speed with certain, you know, Unix or Linux skills? So um, you could first do – just type the command, okay? And typically if you type the command, you're going to get, you know, the help or how to find more information about that file. So you could always do a stat, dash, dash, help, and just you know, take the instructions that the operating system is giving you, okay? And then therefore, we basically get a high level overview, so we get stat, option, and then the file or directory that we're interested in. So you could do L for differences. You could do F for file system. This specifically displays file system statuses instead of file sat – status. You've got print, um, very much just like the format command, which I'll show you here in a second. You've got, uh, terse. This prints information in terse forms. It's just in a different format. You may or may not like this or use this quite often. Uh, and then of course, the generic stuff; you know, help and then, you know, print the version of the program being run. Also valid format sequences for files without the final system – now that would be directly if you're doing, you know, format versus file systems from C or F here. Um, and then you know, A, B, C, D, E, F, G. So whenever you see something like this, the way to learn this is realistically, kind of keep this at hand here. Um, and so what I'll do is I'll just kind of bring this up in another window. So let's do a man, uh, or let's do stat, dash, dash, help over here. Spell it correctly. Keep that over here in this window. We'll kind of scoot that off to the side. And then clear the screen and here, I have a preloaded command here, stat, dash, dash, format, um, quote, um, percent, d, quote, and then for our specific directory. Now this is realistically what I'm going to tie to this window over here. If you want to find out what these things do, you basically just kind of stagger your windows, kind of like so. So let's get them staggered, okay? And just go through the alphabet, okay? So if you want to see what it looks like in dash-a – actually, we're up here. Uh, access right in octal, okay? So we just put an a in here. There you go, 640. Change that again, see what it looks like in a capital A, alright? So octal format is the, the conversion of the read, write, and execute in the, in the numeric value conversion of them. So it's, you know, read, write, and execute, and then read, write, and execute again. So 6 is read plus write. Read is, uh, just 4, and nothing would be 0, okay? So it's translating this information right here. And then basically, walk yourself through the alphabet and check these out. Here's 48. This is the number of blocks that are allocated, or you could, in a sense, go directly to a capital B, okay? So what, what you're learning here is kind of how these tools work, what the correct syntaxes are, and it gives you a lot to go ahead and practice with. So while I'm only going to show you, you know, a couple here, I want you to kind of go through and then just go through the rest of these. You know, I did the, you know, A, B, C, D, um, and then you take them all the way through. Get all the way to, you know, G, and see what G looks like. You want to see what that is? It says 4. Capital G, okay? G is the group ID of the owner or the group name of the owner. Group ID, group name, okay? But forensically, tie – to tie this directly into forensicsly – forensics, we're interested in all sorts of stuff in here. Um, device number and decimal or in hex, okay? So we can just do the Ds real quick. That would be your hex. D for decimal, 18, okay? Um, the raw mode, group IDs, group names, the inode numbers, different mount points, different file names. You probably won't be impressed with the, uh, name, especially in a command like this that you're using because if you notice the output, it just displays what you already told it. So uh, the user ID or the owner, the username of the owner for tracking down, you know, who's the set owner. Um, the file birth, the file access, the file modifications, the last change times if you want to look at the integrity components, okay? Um, and, and if you want to switch over to the file system command, there's a whole bunch of separate variables here. Realistically, you just change this from formats to file system, okay? And you'll get a whole 'nother set of information. It just happened that I used N here, and it says it cannot read N, but that's okay. It gives me enough information here. It still pulls the block ID, uh, the total block size, the amount free, the inodes, the available information, and etcetera, etcetera, okay? So now that you can practice this, you can apply it, and you can use this, and keep this in your repertoire Btu let's back up yet. We're not done just yet. So what we did specifically is we did the stet help. There's also the man page, as well. So if you do a man page for stet, I want to point something out here. Uh, displaying the file or system status, it shows us the convention, which we just used; stet option; and then of course, the file name. Here's your file system versus the format, which we were using. And then you have some print information. You have all of this, which was available in the help; no fun there. Btu specifically, if you look right up – uh, let's see. It should say it in here. Uh, let's do a man F4 stat. Now I had to kind of pop over to the other cousins of this because this tells you F-stat and L-stat, which are other conventions that we use in Unix, um, that's closely related to the, the stat command, okay? Um, and so there – some systems will support F-stat. Some will support L-stat. Most should support stat in itself, but you'll notice if I'm just here to count Kali command line. Then if I do an S-stat, okay, command not found. If I do an L-stat, command not found. Btu if I do a stat, boom, there you go. I get at least something back of it. And then I can – interestingly enough, it has the help files for it, but it doesn't have the actual command. And you have to go get it and install if it you actually want to use it. For most 50,000 foot view forensics, uh, point of view purposes, that command will do just fine, okay? If you just grab something like, uh, Leo. I have a file. If I do an LS, dash, LF here, you can see that I have Leo written right here. And you're just doing something to a, a file or a directory, you can get basic information to, um – oops, wrong command. Leo2, there you go. So I did it once to a file and then once to a directory. You can see the basic date when the file was created, the access, the modify, the change, the different group IDs, the block information. These are ultimately the things that you are querying inside of the stat command. Um, so there's your 50,000 foot overview. My name's Leo Dregier. Be sure to communicate in the chat dialog box. Look forward to your feedback, and I'll see you in the next video. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?