|
|
| Line 1: |
Line 1: |
| − | {{Infobox_Software |
| + | [[Category:Visualizations]] |
| − | name = The Sleuth Kit |
| + | |
| − | maintainer = [[Brian Carrier]] |
| + | |
| − | os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} |
| + | |
| − | genre = {{Analysis}} |
| + | |
| − | license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} |
| + | |
| − | website = [http://www.sleuthkit.org/ sleuthkit.org] |
| + | |
| − | }}
| + | |
| − | | + | |
| − | '''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]] (12/16/32), [[Ext2]]/[[Ext3|3]], [[NTFS]], [[Ufs|UFS]] (1 & 2), and ISO 9660 [[file system]]s.
| + | |
| − | | + | |
| − | [[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
| + | |
| − |
| + | |
| − | =Features=
| + | |
| − | | + | |
| − | The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
| + | |
| − | | + | |
| − | Some of the commands in Sleuth Kit are:
| + | |
| − | | + | |
| − | ; blkcat
| + | |
| − | : Views the contents of a [[block]].
| + | |
| − | | + | |
| − | ; blkls
| + | |
| − | : Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
| + | |
| − | | + | |
| − | ; blkcalc
| + | |
| − | : Tells you where an unallocated blocks are.
| + | |
| − | | + | |
| − | ; blkstat
| + | |
| − | : Details about a given block.
| + | |
| − | | + | |
| − | ; icat
| + | |
| − | : View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
| + | |
| − | | + | |
| − | ; ils
| + | |
| − | : Lists the files extents on a disk.
| + | |
| − | | + | |
| − | ; istat
| + | |
| − | : Information about an inode number.
| + | |
| − | | + | |
| − | ==File Systems Understood==
| + | |
| − | | + | |
| − | * [[NTFS]]
| + | |
| − | * [[FAT]]
| + | |
| − | * [[Ext2]], [[Ext3]]
| + | |
| − | * [[Ufs|UFS]] (1 & 2)
| + | |
| − | * ISO 9660
| + | |
| − | * [[HFS+]]
| + | |
| − |
| + | |
| − | ==File Search Facilities==
| + | |
| − | | + | |
| − | * Lists allocated and unallocated files.
| + | |
| − | * Lists and sorts by file type.
| + | |
| − | * Shows a time of creation and change.
| + | |
| − |
| + | |
| − | ==Historical Reconstruction==
| + | |
| − | '''fls''' and '''ils''' can be used to create a full listing of file system timestamps.
| + | |
| − | The output of these commands can be inputted into '''mactimes''' which will generate a timeline of the file system timestamps.
| + | |
| − | | + | |
| − | ==Searching Abilities==
| + | |
| − |
| + | |
| − | * Searches for keywords.
| + | |
| − | * Builds an index.
| + | |
| − | | + | |
| − | ==Hash Databases==
| + | |
| − | | + | |
| − | * Uses [[MD5]] or [[SHA-1]].
| + | |
| − | * Interfaces with NIST [[NSRL]], [[Hashkeeper]] and customer databases.
| + | |
| − |
| + | |
| − | ==Evidence Collection Features==
| + | |
| − |
| + | |
| − | * Tracks forensic activity.
| + | |
| − | | + | |
| − | =History=
| + | |
| − | | + | |
| − | ==License Notes==
| + | |
| − | | + | |
| − | "The file system tools (in the src/fstools directory) are released
| + | |
| − | under the IBM open source license and Common Public License, both
| + | |
| − | are located in the license directory. The modifications to 'mactime'
| + | |
| − | from the original 'mactime' in TCT and 'mac-daddy' are released
| + | |
| − | under the Common Public License. Other tools in the src directory
| + | |
| − | are either Common Public License or the GNU Public License."
| + | |
| − | | + | |
| − | == Ext4 support ==
| + | |
| − | In 2011 [[Willi Ballenthin]] provided [http://www.williballenthin.com/ext4/ patches] for the SleutKit to add ext4 support.
| + | |
| − | These patches were integrated by [[Kevin Fairbanks]] into a separate [https://github.com/kfairbanks/sleuthkit/tree/Ext4_Dev fork of the SleuthKit].
| + | |
| − | This fork is currently being worked on.
| + | |
| − | | + | |
| − | = See Also =
| + | |
| − | * [[The Sleuth Kit How-To]]
| + | |
| − | * [[tsk-cp]]
| + | |
| − | * The mmls [[OCFA treegraph API]] example module.
| + | |
| − | | + | |
| − | = External Links =
| + | |
| − | | + | |
| − | * [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]
| + | |
| − | * [https://github.com/kfairbanks/sleuthkit/tree/Ext4_Dev Fork of the SleuthKit with ext4 support], by [[Kevin Fairbanks]]
| + | |
| − |
| + | |
| − | ==External Reviews==
| + | |
