The Sleuth Kit
   HOME

TheInfoList



Click Here for Items Related To - The Sleuth Kit
OR:
The Sleuth Kit on:   [Wikipedia]   [Google]   [Amazon]

The Sleuth Kit (TSK) is a library and collection of
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, an ...
- and
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ser ...
-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit. The collection is open source and protected by the GPL, the CPL and the IPL. The software is under active development and it is supported by a team of developers. The initial development was done by Brian Carrier who based it on
The Coroner's Toolkit The Coroner's Toolkit (or TCT) is a suite of free computer security programs by Dan Farmer and Wietse Venema for digital forensic analysis. The suite runs under several Unix-related operating systems: FreeBSD, OpenBSD, BSD/OS, SunOS/ Solaris, ...
. It is the official successor platform. The Sleuth Kit is capable of parsing
NTFS New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred fil ...
, FAT/ExFAT, UFS 1/2,
Ext2 The ext2 or second extended file system is a file system for the Linux kernel. It was initially designed by French software developer Rémy Card as a replacement for the extended file system (ext). Having been designed according to the same ...
,
Ext3 ext3, or third extended filesystem, is a journaled file system that is commonly used by the Linux kernel. It used to be the default file system for many popular Linux distributions. Stephen Tweedie first revealed that he was working on ext ...
,
Ext4 ext4 (fourth extended filesystem) is a journaling file system for Linux, developed as the successor to ext3. ext4 was initially a series of backward-compatible extensions to ext3, many of them originally developed by Cluster File Systems for ...
, HFS,
ISO 9660 ISO 9660 (also known as ECMA-119) is a file system for optical disc media. Being sold by the International Organization for Standardization (ISO) the file system is considered an international technical standard. Since the specification is ...
and YAFFS2 file systems either separately or within disk images stored in raw ( dd), Expert Witness or AFF formats. The Sleuth Kit can be used to examine most Microsoft Windows, most Apple Macintosh OSX, many
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...
and some other
UNIX Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, an ...
computers. The Sleuth Kit can be used via the included command line tools, or as a library embedded within a separate digital forensic tool such as Autopsy or log2timeline/plaso.


Tools

Some of the tools included in The Sleuth Kit include: * ils lists all metadata entries, such as an Inode. * blkls displays data blocks within a file system (formerly called dls). * fls lists allocated and unallocated file names within a file system. * fsstat displays file system statistical information about an image or storage medium. * ffind searches for file names that point to a specified metadata entry. * mactime creates a timeline of all files based upon their
MAC times MAC times are pieces of file system metadata which record when certain events pertaining to a computer file occurred most recently. The events are usually described as "modification" (the data in the file was modified), "access" (some part of the f ...
. * disk_stat (currently Linux-only) discovers the existence of a
Host Protected Area The host protected area (HPA) is an area of a hard drive or solid-state drive that is not normally visible to an operating system. It was first introduced in the ATA-4 standard CXV (T13) in 2001. How it works The IDE controller has registers ...
.


Applications

The Sleuth Kit can be used * for use in forensics, its main purpose * for understanding what data is stored on a disk drive, even if the operating system has removed all meta data. * for recovering deleted image files * summarizing all deleted files * search for files by name or included keyword * for use by future historians dealing with computer storage devices


See also

*
Autopsy (software) Autopsy is computer software that makes it simpler to deploy many of the open source programs and plugins used in The Sleuth Kit. The graphical user interface displays the results from the forensic search of the underlying volume making it easier fo ...
— A graphical user interface to The Sleuth Kit. *
CAINE Linux CAINE Linux (''Computer Aided INvestigative Environment'') is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with sev ...
− Includes The Sleuth Kit


References


External links

* Computer forensics Free security software Unix security-related software Hard disk software Digital forensics software {{free-software-stub