The Sleuth Kit

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit.

The Sleuth Kit
Original author(s)Brian Carrier
Stable release
4.9.0 / May 1, 2020 (2020-05-01)[1]
Repository
Written inC, Perl
Operating systemUnix-like, Windows
TypeComputer forensics
LicenseIPL, CPL, GPL

The collection is open source and protected by the GPL, the CPL and the IPL. The software is under active development and it is supported by a team of developers. The initial development was done by Brian Carrier[2] who based it on The Coroner's Toolkit. It is the official successor platform.[3]

The Sleuth Kit is capable of parsing NTFS, FAT/ExFAT, UFS 1/2, Ext2, Ext3, Ext4, HFS, ISO 9660 and YAFFS2 file systems either separately or within disk images stored in raw (dd), Expert Witness or AFF formats.[4] The Sleuth Kit can be used to examine most Microsoft Windows, most Apple Macintosh OSX, many Linux and some other UNIX computers.

The Sleuth Kit can be used:

  • Via the included command line tools; or
  • As a library embedded within a separate digital forensic tool such as Autopsy or log2timeline/plaso.



Tools

Some of the tools included in The Sleuth Kit include:

  • ils lists all metadata entries, such as an Inode.
  • blkls displays data blocks within a file system (formerly called dls).
  • fls lists allocated and unallocated file names within a file system.
  • fsstat displays file system statistical information about an image or storage medium.
  • ffind searches for file names that point to a specified metadata entry.
  • mactime creates a timeline of all files based upon their MAC times.
  • disk_stat (currently Linux-only) discovers the existence of a Host Protected Area.

Applications

The Sleuth Kit can be used

  • for understanding what data is stored on a disk drive, even if the operating system has removed all meta data.
  • for recovering deleted image files [5]
  • summarizing all deleted files[6]
  • search for files by name or included keyword [7]
gollark: Idea: a trolley is going on a track toward Macron. You can divert it to go onto a track with Internet Explorer and also 2618 innocent people. What do?
gollark: What if you have a runaway trolley which is heading toward a track with a number of people equal in size to the set of the real numbers, but which can be diverted to a track with aleph_1 people on it instead?
gollark: Good idea.
gollark: I see.
gollark: I don't believe in objective morality, since 1993.

See also

References
  1. "Releases - sleuthkit/sleuthkit". Retrieved 1 May 2020 via GitHub.
  2. "About". www.sleuthkit.org. Brian Carrier. Retrieved 2016-08-30.
  3. http://www.porcupine.org/forensics/tct.html
  4. "File and Volume System Analysis". www.sleuthkit.org. Brian Carrier. Retrieved 2016-08-30.
  5. "Autopsy: Lesson 1: Analyzing Deleted JPEGs". www.computersecuritystudent.com. Retrieved 2020-06-20.
  6. "FS Analysis - SleuthKitWiki". wiki.sleuthkit.org. Retrieved 2020-06-20.
  7. "The Sleuth Kit - analyze disk images and recover files". LinuxLinks. Retrieved 2020-06-20.


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.