Difference between revisions of "The Sleuth Kit"

From ForensicsWiki
Jump to: navigation, search
m
(Typos and links.)
Line 1: Line 1:
The Sleuth Kit (http://www.sleuthkit.org) (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, and UFS file systems.
+
'''The Sleuth Kit''' (TSK) is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], and [[UFS]] [[file systems]].
  
Sleuth kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
+
Sleuth kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
  
 
Some of the commands in Sleuth Kit are:
 
Some of the commands in Sleuth Kit are:
  
 
; dcat
 
; dcat
: Views the contents of a block
+
: Views the contents of a [[block]].
  
 
; dls
 
; dls
: Lists unallocated blocks. Makes keyword searches more efficient. Gets a lsit of unallocated blocks.
+
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
  
 
; dcalc
 
; dcalc
Line 15: Line 15:
  
 
; dstat
 
; dstat
: Details about a given block
+
: Details about a given block.
  
 
; icat
 
; icat
: View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
+
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
  
 
; ils
 
; ils
Line 24: Line 24:
  
 
; istat
 
; istat
: information about an indoe number.
+
: Information about an inode number.
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.sleuthkit.org The Sleuth Kit] homepage

Revision as of 07:07, 18 March 2006

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, and UFS file systems.

Sleuth kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Some of the commands in Sleuth Kit are:

dcat
Views the contents of a block.
dls
Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
dcalc
Tells you where an unallocated blocks are.
dstat
Details about a given block.
icat
View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
ils
Lists the files extents on a disk.
istat
Information about an inode number.

External Links