has moved to this site, For information, please join the Google Group forensicswiki-reborn

The Sleuth Kit

From Forensics Wiki
Jump to navigation Jump to search
The Sleuth Kit
Maintainer: Brian Carrier
OS: Linux,FreeBSD,OpenBSD,Mac OS X,SunOS
Genre: Analysis
License: IBM Open Source License,Common Public License,GPL

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports multiple file systems (see below).

Autopsy is a front-end for TSK which allows browser-based access to the TSK tools.


The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Some of the commands in Sleuth Kit are:

Views the contents of a block.
Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
Tells you where an unallocated blocks are.
Details about a given block.
View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
Lists the files extents on a disk.
Information about an inode number.

Supported File Systems

Note that several several of the file systems supported have known shortcomings. Check issue tracker for details.

File Search Facilities

  • Lists allocated and unallocated files.
  • Lists and sorts by file type.
  • Shows a time of creation and change.

Historical Reconstruction

fls and ils can be used to create a full listing of file system timestamps. The output of these commands can be inputted into mactimes which will generate a timeline of the file system timestamps.

Note that there are numerous known issues with the Bodyfile format used by fls and ils.

Searching Abilities

  • Searches for keywords.
  • Builds an index.

Hash Databases

Evidence Collection Features

  • Tracks forensic activity.


License Notes

The SleuthKit uses a mix of various licenses. Its core library, libtsk, is predominantly licensed under IBM Public License version 1.0 and Common Public License version 1.0. For more information see:

Ext4 support

In 2011 Willi Ballenthin provided patches for the SleutKit to add ext4 support. These patches were integrated by Kevin Fairbanks into a separate fork of the SleuthKit. This fork was integrated in the 4.1.0 version.

Note that ext4 format features introduced after SleutKit 4.1.0 might not be supported and SleutKit tools might incorrectly represent these [1].

See Also

External Links

External Reviews