Sleuthkit
   HOME

TheInfoList



Click Here for Items Related To - Sleuthkit
OR:
Sleuthkit on:   [Wikipedia]   [Google]   [Amazon]

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit. The collection is open source and protected by the GPL, the CPL and the IPL. The software is under active development and it is supported by a team of developers. The initial development was done by Brian Carrier who based it on The Coroner's Toolkit. It is the official successor platform. The Sleuth Kit is capable of parsing NTFS, FAT/ExFAT, UFS 1/2, Ext2, Ext3, Ext4,
HFS HFS may refer to: Computing * Hardware functionality scan, a security mechanism used in Microsoft Windows operating systems * Hierarchical File System, a file system used by Apple Macintosh computers * Hierarchical File System (IBM MVS), used MV ...
, ISO 9660 and YAFFS2 file systems either separately or within disk images stored in raw ( dd), Expert Witness or AFF formats. The Sleuth Kit can be used to examine most
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
, most Apple Macintosh OSX, many Linux and some other UNIX computers. The Sleuth Kit can be used via the included command line tools, or as a library embedded within a separate digital forensic tool such as
Autopsy An autopsy (post-mortem examination, obduction, necropsy, or autopsia cadaverum) is a surgical procedure that consists of a thorough examination of a corpse by dissection to determine the cause, mode, and manner of death or to evaluate any di ...
or log2timeline/plaso.


Tools

Some of the tools included in The Sleuth Kit include: * ils lists all
metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...
entries, such as an
Inode The inode (index node) is a data structure in a Unix-style file system that describes a file-system object such as a file or a directory. Each inode stores the attributes and disk block locations of the object's data. File-system object attribute ...
. * blkls displays data blocks within a
file system In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
(formerly called dls). * fls lists allocated and unallocated file names within a file system. * fsstat displays file system statistical information about an image or storage medium. * ffind searches for file names that point to a specified metadata entry. * mactime creates a timeline of all files based upon their MAC times. * disk_stat (currently Linux-only) discovers the existence of a Host Protected Area.


Applications

The Sleuth Kit can be used * for use in forensics, its main purpose * for understanding what data is stored on a disk drive, even if the operating system has removed all meta data. * for recovering deleted image files * summarizing all deleted files * search for files by name or included keyword * for use by future historians dealing with computer storage devices


See also

* Autopsy (software) — A graphical user interface to The Sleuth Kit. * CAINE Linux − Includes The Sleuth Kit


References


External links

* Computer forensics Free security software Unix security-related software Hard disk software Digital forensics software {{free-software-stub