Difference between revisions of "The Sleuth Kit"

From ForensicsWiki
Jump to: navigation, search
(Various fixes.)
Line 1: Line 1:
 +
'''The Sleuth Kit''' (TSK) is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file system]]s.
 +
 +
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
  
 
   
 
   
 
=Features=
 
=Features=
  
'''The Sleuth Kit''' (TSK) is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file systems]].
+
The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
 
+
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
+
 
+
Sleuth kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
+
  
 
Some of the commands in Sleuth Kit are:
 
Some of the commands in Sleuth Kit are:
Line 31: Line 30:
 
; istat
 
; istat
 
: Information about an inode number.
 
: Information about an inode number.
 
 
  
 
==File Systems Understood==
 
==File Systems Understood==
Line 43: Line 40:
 
==File Search Facilities==
 
==File Search Facilities==
  
* Lists allocated and unallocated files
+
* Lists allocated and unallocated files.
* Lists and sorts by file type
+
* Lists and sorts by file type.
 
* Shows a time time of creation and change.
 
* Shows a time time of creation and change.
 
   
 
   
 
 
==Historical Reconstruction==
 
==Historical Reconstruction==
 
   
 
   
 
 
==Searching Abilities==
 
==Searching Abilities==
 
   
 
   
Line 58: Line 53:
 
==Hash Databases==
 
==Hash Databases==
  
* Uses MD5 or SHA1
+
* Uses [[MD5]] or [[SHA1]].
* Interfaces with NIST NSRL, Hashkeeper and customer databases.
+
* Interfaces with [[NIST NSRL]], [[Hashkeeper]] and customer databases.
 
   
 
   
 
 
==Evidence Collection Features==
 
==Evidence Collection Features==
 
   
 
   
Line 67: Line 61:
  
 
=History=
 
=History=
 
 
  
 
==License Notes==
 
==License Notes==
Line 75: Line 67:
  
 
= External Links =
 
= External Links =
 +
 +
* [http://www.sleuthkit.org Official website]
 +
* [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]
 
   
 
   
[http://www.dibsusa.com/ Website}
 
 
 
==External Reviews==
 
==External Reviews==
 
 
== External Links ==
 
 
* [http://www.sleuthkit.org The Sleuth Kit] homepage
 
* [http://www.sleuthkit.org/autopsy/desc.php Autopsy] homepage
 

Revision as of 16:02, 21 March 2006

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS1, and UFS2 file systems.

Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.


Features

The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Some of the commands in Sleuth Kit are:

dcat
Views the contents of a block.
dls
Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
dcalc
Tells you where an unallocated blocks are.
dstat
Details about a given block.
icat
View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
ils
Lists the files extents on a disk.
istat
Information about an inode number.

File Systems Understood

  • NTFS
  • FAT
  • EXT2, EXT3
  • UFS1, UFS2

File Search Facilities

  • Lists allocated and unallocated files.
  • Lists and sorts by file type.
  • Shows a time time of creation and change.

Historical Reconstruction

Searching Abilities

  • Searches for keywords.
  • Builds an index.

Hash Databases

Evidence Collection Features

  • Tracks forensic activity.

History

License Notes

Is it commercial or open source? Are there other licensing options?

External Links

External Reviews