Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
The Sleuth Kit
|The Sleuth Kit|
|OS:||Linux,FreeBSD,OpenBSD,Mac OS X,SunOS|
|License:||IBM Open Source License,Common Public License,GPL|
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports multiple file systems (see below).
Autopsy is a front-end for TSK which allows browser-based access to the TSK tools.
The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.
Some of the commands in Sleuth Kit are:
- Views the contents of a block.
- Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
- Tells you where an unallocated blocks are.
- Details about a given block.
- View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
- Lists the files extents on a disk.
- Information about an inode number.
Supported File Systems
Note that several several of the file systems supported have known shortcomings. Check issue tracker for details.
File Search Facilities
- Lists allocated and unallocated files.
- Lists and sorts by file type.
- Shows a time of creation and change.
fls and ils can be used to create a full listing of file system timestamps. The output of these commands can be inputted into mactimes which will generate a timeline of the file system timestamps.
Note that there are numerous known issues with the Bodyfile format used by fls and ils.
- Searches for keywords.
- Builds an index.
Evidence Collection Features
- Tracks forensic activity.
The SleuthKit uses a mix of various licenses. Its core library, libtsk, is predominantly licensed under IBM Public License version 1.0 and Common Public License version 1.0. For more information see: https://github.com/sleuthkit/sleuthkit/blob/develop/licenses/README.md
In 2011 Willi Ballenthin provided patches for the SleutKit to add ext4 support. These patches were integrated by Kevin Fairbanks into a separate fork of the SleuthKit. This fork was integrated in the 4.1.0 version.
Note that ext4 format features introduced after SleutKit 4.1.0 might not be supported and SleutKit tools might incorrectly represent these .