The Sleuth Kit

From ForensicsWiki
Revision as of 20:50, 17 July 2008 by Pmow (Talk | contribs) (genre changed to Analysis from Disk file systems)

Jump to: navigation, search
The Sleuth Kit
Maintainer: Brian Carrier
OS: Linux,FreeBSD,OpenBSD,Mac OS X,SunOS
Genre: Analysis
License: IBM Open Source License,Common Public License,GPL

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS1, and UFS2 file systems.

Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.


The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Some of the commands in Sleuth Kit are:

Views the contents of a block.
Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
Tells you where an unallocated blocks are.
Details about a given block.
View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
Lists the files extents on a disk.
Information about an inode number.

File Systems Understood

File Search Facilities

  • Lists allocated and unallocated files.
  • Lists and sorts by file type.
  • Shows a time time of creation and change.

Historical Reconstruction

Searching Abilities

  • Searches for keywords.
  • Builds an index.

Hash Databases

Evidence Collection Features

  • Tracks forensic activity.


License Notes

Is it commercial or open source? Are there other licensing options?

External Links

External Reviews