Difference between pages "The Sleuth Kit" and "ILook Investigator"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Historical Reconstruction)
 
 
Line 1: Line 1:
{{Infobox_Software |
+
ILook Investigator is an all-in-one computer forensic toolsets.
  name = The Sleuth Kit |
+
  maintainer = [[Brian Carrier]] |
+
  os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} |
+
  genre = {{Analysis}} |
+
  license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} |
+
  website = [http://www.sleuthkit.org/ sleuthkit.org] |
+
}}
+
  
'''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]] (12/16/32), [[Ext2]]/[[Ext3|3]], [[NTFS]], [[Ufs|UFS]] (1 & 2), and ISO 9660 [[file system]]s.
+
ILook is free to qualifying users worldwide. Eligible users must be involved in computer forensics and employed by one of the following:
 +
 
 +
1) Law Enforcement agency whose employees are sworn law enforcement officers.
 +
2) Government Intelligence agency.
 +
3) Military agencies with authority in criminal and or counter intelligence investigations.
 +
4) Government, State or other Regulatory agencies with a law enforcement mission.
  
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
 
 
 
=Features=
 
=Features=
 
The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
 
 
Some of the commands in Sleuth Kit are:
 
 
; blkcat
 
: Views the contents of a [[block]].
 
 
; blkls
 
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
 
 
; blkcalc
 
: Tells you where an unallocated blocks are.
 
 
; blkstat
 
: Details about a given block.
 
 
; icat
 
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
 
 
; ils
 
: Lists the files extents on a disk.
 
 
; istat
 
: Information about an inode number.
 
 
==File Systems Understood==
 
 
* [[NTFS]]
 
* [[FAT]]
 
* [[Ext2]], [[Ext3]]
 
* [[Ufs|UFS]] (1 & 2)
 
* ISO 9660
 
* [[HFS+]]
 
 
==File Search Facilities==
 
 
* Lists allocated and unallocated files.
 
* Lists and sorts by file type.
 
* Shows a time of creation and change.
 
 
==Historical Reconstruction==
 
'''fls''' and '''ils''' can be used to create a full listing of file system timestamps.
 
The output of these commands can be inputted into '''mactimes''' which will generate a timeline of the file system timestamps.
 
 
==Searching Abilities==
 
 
* Searches for keywords.
 
* Builds an index.
 
 
==Hash Databases==
 
 
* Uses [[MD5]] or [[SHA-1]].
 
* Interfaces with NIST [[NSRL]], [[Hashkeeper]] and customer databases.
 
 
==Evidence Collection Features==
 
 
* Tracks forensic activity.
 
  
 
=History=
 
=History=
  
==License Notes==
 
 
"The file system tools (in the src/fstools directory) are released
 
under the IBM open source license and Common Public License, both
 
are located in the license directory.  The modifications to 'mactime'
 
from the original 'mactime' in TCT and 'mac-daddy' are released
 
under the Common Public License.  Other tools in the src directory
 
are either Common Public License or the GNU Public License."
 
 
== Ext4 support ==
 
In 2011 [[Willi Ballenthin]] provided [http://www.williballenthin.com/ext4/ patches] for the SleutKit to add ext4 support.
 
These patches were integrated by [[Kevin Fairbanks]] into a separate [https://github.com/kfairbanks/sleuthkit/tree/Ext4_Dev fork of the SleuthKit].
 
This fork is currently being worked on.
 
  
= See Also =
 
* [[The Sleuth Kit How-To]]
 
* [[tsk-cp]]
 
* The mmls [[OCFA treegraph API]] example module.
 
  
 
= External Links =
 
= External Links =
  
* [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]
+
ILook Investigator - Homepage - http://www.ilook-forensics.org/
* [https://github.com/kfairbanks/sleuthkit/tree/Ext4_Dev Fork of the SleuthKit with ext4 support], by [[Kevin Fairbanks]]
+
+
==External Reviews==
+

Revision as of 14:00, 29 December 2005

ILook Investigator is an all-in-one computer forensic toolsets.

ILook is free to qualifying users worldwide. Eligible users must be involved in computer forensics and employed by one of the following:

1) Law Enforcement agency whose employees are sworn law enforcement officers. 2) Government Intelligence agency. 3) Military agencies with authority in criminal and or counter intelligence investigations. 4) Government, State or other Regulatory agencies with a law enforcement mission.

Features

History

External Links

ILook Investigator - Homepage - http://www.ilook-forensics.org/