Difference between pages "Books" and "The Sleuth Kit"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Books about computer forensics)
 
(See Also)
 
Line 1: Line 1:
=General books about forensics=
+
{{Infobox_Software |
 +
  name = The Sleuth Kit |
 +
  maintainer = [[Brian Carrier]] |
 +
  os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} |
 +
  genre = {{Analysis}} |
 +
  license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} |
 +
  website = [http://www.sleuthkit.org/ sleuthkit.org] |
 +
}}
  
* [http://www.amazon.com/gp/product/0849381274/ Principles and Practice of Criminalistics: The Profession of Forensic Science], by Keith Inman and Norah Rudin. (Highly recommended).
+
'''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]] (12/16/32), [[Ext2]]/[[Ext3|3]], [[NTFS]], [[Ufs|UFS]] (1 & 2), and ISO 9660 [[file system]]s.
  
* [http://www.amazon.com/gp/product/0130910589/104-5015943-9029527 Forensic Science Handbook, Volume 1 (2nd Edition)], by Richard E. Saferstein ISBN: 0130910589 Publisher: Prentice Hall; 2 edition 6/5/2001
+
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
 +
 +
=Features=
  
* [http://www.amazon.com/gp/product/013112434X/104-5015943-9029527 Forensic Science Handbook, Vol. II (2nd Edition)], by Richard E. Saferstein ISBN: 013112434X Publisher: Prentice Hall; 2 edition, 10/8/2004
+
The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
  
* [http://www.amazon.com/gp/product/0133253902/104-5015943-9029527 Handbook of Forensic Science, Volume III], by Richard Saferstein ISBN: 0133253902 Publisher: Prentice Hall; 1 edition, 4/22/1993
+
Some of the commands in Sleuth Kit are:
  
* [http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=2747&parent_id=411&pc= Forensic Science: An Introduction to Scientific and Investigative Techniques, Second Edition], by Stuart James and Jon J Nordby ISBN: 0849327474 Publisher: CRC Press 2/10/2005
+
; dcat
 +
: Views the contents of a [[block]].
  
* [http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=0860&parent_id=411&pc= Ethics in Forensic Science: Professional Standards for the Practice of Criminalistics], Peter D Barnett ISBN: 0849308607 Publisher: CRC Press, 6/27/2001
+
; dls
 +
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
  
=Books about computer forensics=
+
; dcalc
 +
: Tells you where an unallocated blocks are.
  
* [http://www.awprofessional.com/title/0321268172 File System Forensic Analysis], by Brian Carrier, Addision-Wesley, 2005. (Highly recommended).
+
; dstat
* [http://www.amazon.com/gp/product/020163497X Forensic Discovery], by Dan Farmer and Wietse Venema, Addison-Wesley, 2004.
+
: Details about a given block.
** A [http://www.porcupine.org/forensics/forensic-discovery/ HTML version] of the book is freely available online.
+
* [http://www.amazon.com/gp/product/0121631044 Digital Evidence and Computer Crime], by Eoghan Casey, Academic Press, 2004.
+
* [http://books.mcgraw-hill.com/getbook.php?isbn=007222696X Incident Response & Computer Forensics, Second Edition], by Kevin Mandia, Chris Prosise & Matt Pepe, 2003.
+
* [http://www.awprofessional.com/bookstore/product.asp?isbn=0321200985&rl=1 Windows Forensics and Incident Recovery], by Harlan Carvey ISBN: 0321200985 Publisher:  Addison Wesley Professional, 7/21/2004
+
* [http://www.ncjrs.gov/pdffiles1/nij/199408.pdf Forensic Examination of Digital Evidence: A Guide for Law Enforcement] NCJ 199408, April 2004, Special Report, National Institute of Justice
+
* [http://www.ncjrs.gov/pdffiles1/nij/187736.pdf Electronic Crime Scene Investigation: A Guide for First Responders] NCJ 187736, July 2001, NIJ Guide, National Institute of Justice
+
* [http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=2218&parent_id=411&pc= Investigating Computer-Related Crime], by Peter Stephenson ISBN: 0849322189 Publisher: CRC Press, 9/28/1999
+
* [http://www.crcpress.com/shopping_cart/products/product_detail.asp?id=&parent_id=411&sku=AU2433&pc= Investigator's Guide to Steganography], by Gregory Kipper ISBN: 0849324335 Publisher: Auerbach Publications, 10/27/2003
+
* [http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU0955&parent_id=411&pc= Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes], Albert J Marcella, Jr. and Robert S Greenfield ISBN: 0849309557 Publisher: Auerbach Publications, 1/23/2002
+
* [http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=8158&parent_id=411&pc= Investigating Computer Crime], by Franklin Clark and Ken Diliberto ISBN: 0849381584 Publisher: CRC Press, 7/11/1996
+
  
=Books in other languages=
+
; icat
 +
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
  
* German: [http://www.dpunkt.de/buecher/3-89864-379-4.html Computer-Forensik], 2nd edition, by Alexander Geschonneck, dpunkt, 2006.
+
; ils
** [http://www.computer-forensik.org/ Errata] and blog of the author.
+
: Lists the files extents on a disk.
 +
 
 +
; istat
 +
: Information about an inode number.
 +
 
 +
==File Systems Understood==
 +
 
 +
* [[NTFS]]
 +
* [[FAT]]
 +
* [[Ext2]], [[Ext3]]
 +
* [[Ufs|UFS]] (1 & 2)
 +
* ISO 9660
 +
 +
==File Search Facilities==
 +
 
 +
* Lists allocated and unallocated files.
 +
* Lists and sorts by file type.
 +
* Shows a time of creation and change.
 +
 +
==Historical Reconstruction==
 +
 +
==Searching Abilities==
 +
 +
* Searches for keywords.
 +
* Builds an index.
 +
 
 +
==Hash Databases==
 +
 
 +
* Uses [[MD5]] or [[SHA-1]].
 +
* Interfaces with NIST [[NSRL]], [[Hashkeeper]] and customer databases.
 +
 +
==Evidence Collection Features==
 +
 +
* Tracks forensic activity.
 +
 
 +
=History=
 +
 
 +
==License Notes==
 +
 
 +
"The file system tools (in the src/fstools directory) are released
 +
under the IBM open source license and Common Public License, both
 +
are located in the license directory. The modifications to 'mactime'
 +
from the original 'mactime' in TCT and 'mac-daddy' are released
 +
under the Common Public License.  Other tools in the src directory
 +
are either Common Public License or the GNU Public License."
 +
 
 +
= See Also =
 +
* [[The Sleuth Kit How-To]]
 +
* [[tsk-cp]]
 +
 
 +
= External Links =
 +
 
 +
* [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]
 +
 +
==External Reviews==

Revision as of 05:47, 13 December 2008

The Sleuth Kit
Maintainer: Brian Carrier
OS: Linux,FreeBSD,OpenBSD,Mac OS X,SunOS
Genre: Analysis
License: IBM Open Source License,Common Public License,GPL
Website: sleuthkit.org

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT (12/16/32), Ext2/3, NTFS, UFS (1 & 2), and ISO 9660 file systems.

Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.

Contents

Features

The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Some of the commands in Sleuth Kit are:

dcat
Views the contents of a block.
dls
Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
dcalc
Tells you where an unallocated blocks are.
dstat
Details about a given block.
icat
View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
ils
Lists the files extents on a disk.
istat
Information about an inode number.

File Systems Understood

File Search Facilities

  • Lists allocated and unallocated files.
  • Lists and sorts by file type.
  • Shows a time of creation and change.

Historical Reconstruction

Searching Abilities

  • Searches for keywords.
  • Builds an index.

Hash Databases

Evidence Collection Features

  • Tracks forensic activity.

History

License Notes

"The file system tools (in the src/fstools directory) are released under the IBM open source license and Common Public License, both are located in the license directory. The modifications to 'mactime' from the original 'mactime' in TCT and 'mac-daddy' are released under the Common Public License. Other tools in the src directory are either Common Public License or the GNU Public License."

See Also

External Links

External Reviews