Girish Mahajan (Editor)

The Sleuth Kit

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Original author(s)
  
Brian Carrier

Written in
  
C, Perl

Type
  
Computer forensics

Development status
  
Active

Operating system
  
Unix-like, Windows

The Sleuth Kit

Stable release
  
4.3.0 / July 19, 2016 (2016-07-19)

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities to facilitate the forensic analysis of computer systems. It was written and is maintained primarily by digital investigator Brian Carrier.

The Sleuth Kit is capable of parsing NTFS, FAT/ExFAT, UFS 1/2, Ext2, Ext3, Ext4, HFS, ISO 9660 and YAFFS2 file systems either separately or within disk images stored in raw (dd), Expert Witness or AFF formats. The Sleuth Kit can be used to examine most Microsoft Windows, most Apple Macintosh OSX, many Linux and some other UNIX computers.

The Sleuth Kit can be used:

  • Via the included command line tools; or
  • As a library embedded within a separate digital forensic tool such as Autopsy or log2timeline/plaso.

    • The Sleuth Kit is a free, open source suite that provides a large number of specialized command-line based utilities.

    It is based on The Coroner's Toolkit, and is the official successor platform.

    Tools

    Some of the tools included in The Sleuth Kit include:

  • ils lists all metadata entries, such as an Inode.
  • blkls displays data blocks within a file system (formerly called dls).
  • fls lists allocated and unallocated file names within a file system.
  • fsstat displays file system statistical information about an image or storage medium.
  • ffind searches for file names that point to a specified metadata entry.
  • mactime creates a timeline of all files based upon their MAC times.
  • disk_stat (currently Linux-only) discovers the existence of a Host Protected Area.

    • References

    The Sleuth Kit Wikipedia
    (Text) CC BY-SA


    Similar Topics