The Sleuth Kit

The Sleuth Kit
Original author(s)	Brian Carrier
Stable release	4.6.2 / August 9, 2018
Repository	github.com/sleuthkit/sleuthkit ;
Written in	C, Perl
Operating system	Unix-like, Windows
Type	Computer forensics
License	IPL, CPL, GPL
Website	www.sleuthkit.org

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities to facilitate the forensic analysis of computer systems. It was written and is maintained primarily by digital investigator Brian Carrier.^[2]

The Sleuth Kit is capable of parsing NTFS, FAT/ExFAT, UFS 1/2, Ext2, Ext3, Ext4, HFS, ISO 9660 and YAFFS2 file systems either separately or within disk images stored in raw (dd), Expert Witness or AFF formats.^[3] The Sleuth Kit can be used to examine most Microsoft Windows, most Apple Macintosh OSX, many Linux and some other UNIX computers.

The Sleuth Kit can be used:

Via the included command line tools; or
As a library embedded within a separate digital forensic tool such as Autopsy or log2timeline/plaso.

The Sleuth Kit is a free, open source suite that provides a large number of specialized command-line based utilities.

It is based on The Coroner's Toolkit, and is the official successor platform.^[4]

Tools

Some of the tools included in The Sleuth Kit include:

ils lists all metadata entries, such as an Inode.
blkls displays data blocks within a file system (formerly called dls).
fls lists allocated and unallocated file names within a file system.
fsstat displays file system statistical information about an image or storage medium.
ffind searches for file names that point to a specified metadata entry.
mactime creates a timeline of all files based upon their MAC times.
disk_stat (currently Linux-only) discovers the existence of a Host Protected Area.

References

^ "Releases - sleuthkit/sleuthkit". Retrieved 12 September 2018 – via GitHub.
^ "About". www.sleuthkit.org. Brian Carrier. Retrieved 2016-08-30.
^ "File and Volume System Analysis". www.sleuthkit.org. Brian Carrier. Retrieved 2016-08-30.
^ http://www.porcupine.org/forensics/tct.html

External links

Official website

This software article is a stub. You can help Wikipedia by expanding it.

[1] "Releases - sleuthkit/sleuthkit". Retrieved 12 September 2018 – via GitHub.

[2] "About". www.sleuthkit.org. Brian Carrier. Retrieved 2016-08-30.

[3] "File and Volume System Analysis". www.sleuthkit.org. Brian Carrier. Retrieved 2016-08-30.

[4] ttp://www.porcupine.org/forensics/tct.html

[1]

[2]

[3]

[4]

v t e Digital forensics
Branches	Computer forensics Mobile device forensics Network forensics Database forensics Software forensics
Hardware	Forensic disk controller
Software	ADF Solutions Digital Evidence Investigator EnCase Foremost FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE HashKeeper Xplico
Certification	Certified Forensic Computer Examiner (CFCE) Global Information Assurance Certification
Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti–computer forensics
Organisations	National Software Reference Library Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)
People	Mary Aiken Annie Antón Rebecca Bace Josh Brunty Eoghan Casey Hany Farid Simson Garfinkel Clifford Stoll Robert Zeidman
Glossary of digital forensics terms

Tools

See also

References

External links