The Sleuth Kit
|The Sleuth Kit|
|OS:||Linux,FreeBSD,OpenBSD,Mac OS X,SunOS|
|License:||IBM Open Source License,Common Public License,GPL|
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports many file systems (see below).
Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.
The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.
Some of the commands in Sleuth Kit are:
- Views the contents of a block.
- Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
- Tells you where an unallocated blocks are.
- Details about a given block.
- View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
- Lists the files extents on a disk.
- Information about an inode number.
File Systems Understood
File Search Facilities
- Lists allocated and unallocated files.
- Lists and sorts by file type.
- Shows a time of creation and change.
fls and ils can be used to create a full listing of file system timestamps. The output of these commands can be inputted into mactimes which will generate a timeline of the file system timestamps.
- Searches for keywords.
- Builds an index.
Evidence Collection Features
- Tracks forensic activity.
"The file system tools (in the src/fstools directory) are released under the IBM open source license and Common Public License, both are located in the license directory. The modifications to 'mactime' from the original 'mactime' in TCT and 'mac-daddy' are released under the Common Public License. Other tools in the src directory are either Common Public License or the GNU Public License."
In 2011 Willi Ballenthin provided patches for the SleutKit to add ext4 support. These patches were integrated by Kevin Fairbanks into a separate fork of the SleuthKit. This fork was integrated in the 4.1.0 version.