The Sleuth Kit
Encyclopedia
The Sleuth Kit is a library and collection of Unix
- and Windows
-based tools and utilities to allow for the forensic analysis of computer systems. It was written and maintained by digital investigator Brian Carrier. TSK can be used to perform investigations and data extraction from images of Windows
, Linux
and Unix
computers. The Sleuth Kit is normally used in conjunction with its custom front-end application, Autopsy, to provide a user friendly interface. An alternative, newer interface is PTK Forensics
. Several other tools also use TSK for file extraction.
The Sleuth Kit is a free
, open source
suite that provides a large number of specialized command-line based utilities.
It is based on The Coroner's Toolkit
.
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
- and Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
-based tools and utilities to allow for the forensic analysis of computer systems. It was written and maintained by digital investigator Brian Carrier. TSK can be used to perform investigations and data extraction from images of Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
and Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
computers. The Sleuth Kit is normally used in conjunction with its custom front-end application, Autopsy, to provide a user friendly interface. An alternative, newer interface is PTK Forensics
PTK Forensics
PTK Forensics is a non-free, commercial GUI for digital forensics tool The Sleuth Kit . It also includes a number of other software modules for investigating digital media....
. Several other tools also use TSK for file extraction.
The Sleuth Kit is a free
Free software
Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...
, open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
suite that provides a large number of specialized command-line based utilities.
It is based on The Coroner's Toolkit
The Coroner's Toolkit
The Coroner's Toolkit is a suite of computer security programs by Dan Farmer and Wietse Venema. It is used to assist in digital forensic analysis.The suite runs on FreeBSD, OpenBSD, BSD/OS, SunOS/Solaris and Linux...
.
Tools
Some of the tools included in The Sleuth Kit include:- ils lists all metadata entries, such as an InodeInodeIn computing, an inode is a data structure on a traditional Unix-style file system such as UFS. An inode stores all the information about a regular file, directory, or other file system object, except its data and name....
. - blkls displays data blocks within a file systemComparison of file systems-General information:-Limits:-Metadata:-Features:-Allocation and layout policies:-Supporting operating systems:-See also:* Comparison of archive formats* Comparison of file archivers* List of archive formats* List of file archivers...
(formerly called dls). - fls lists allocated and unallocated file names within a file system.
- fsstat displays file system statistical information about an image or storage medium.
- ffind searches for file names that point to a specified metadata entry.
- mactime creates a timeline of all files based upon their MAC timesMAC timesMAC times are pieces of file system metadata which record when certain events pertaining to a computer file occurred most recently. The events are usually described as "modification" , "access" , and "metadata change" , although the acronym is derived from the "mtime",...
. - disk_stat (currently Linux-only) discovers the existence of a Host Protected AreaHost Protected AreaThe host protected area, sometimes referred to as hidden protected area, is an area of a hard drive that is not normally visible to an operating system .- History :HPA was first introduced in the ATA-4 standard cxv .-How it works:...
.