Difference between pages "Books" and "The Sleuth Kit"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Books about computer forensics)
 
m (Sleuthkit moved to The Sleuth Kit: Move to full name.)
 
Line 1: Line 1:
=General books about forensics=
+
{{Infobox_Software |
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
  name = The Sleuth Kit |
|- style="background:#bfbfbf; font-weight: bold"
+
  maintainer = [[Brian Carrier]] |
! width="30%"|Title
+
  os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} |
! width="20%"|Author
+
  genre = {{Disk file systems}} |
! width="10%"|ISBN
+
  license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} |
! width="20%"|Publisher
+
  website = [http://www.sleuthkit.org/ sleuthkit.org] |
! width="10%"|Publication Date
+
}}
! width="10%"|Comment
+
|-
+
|[http://www.amazon.com/gp/product/0849381274/ Principles and Practice of Criminalistics: The Profession of Forensic Science]
+
|Keith Inman and Norah Rudin
+
|0849381274
+
|CRC Press
+
|Aug 29, 2000
+
|Highly Recommended
+
|-
+
|[http://www.amazon.com/gp/product/0130910589/ Forensic Science Handbook, Volume I (2nd Edition)]
+
|Richard E. Saferstein, Ed.
+
|0130910589
+
|Prentice Hall
+
|Jun 5, 2001
+
|-
+
|[http://www.amazon.com/gp/product/013112434X/ Forensic Science Handbook, Volume II (2nd Edition)]
+
|Richard E. Saferstein, Ed.
+
|013112434X
+
|Prentice Hall
+
|Oct 8, 2004
+
|-
+
|[http://www.amazon.com/gp/product/0133253902/ Forensic Science Handbook, Volume III]
+
|Richard E. Saferstein, Ed.
+
|0133253902
+
|Prentice Hall
+
|Apr 22, 1993
+
|-
+
|[http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=2747&parent_id=411&pc= Forensic Science: An Introduction to Scientific and Investigative Techniques, Second Edition]
+
|Stuart James and Jon J Nordby
+
|0849327474
+
|CRC Press
+
|Feb 10, 2005
+
|-
+
|[http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=0860&parent_id=411&pc= Ethics in Forensic Science: Professional Standards for the Practice of Criminalistics]
+
|Peter D Barnett
+
|0849308607
+
|CRC Press
+
|Jun 27, 2001
+
|-
+
|[http://www.amazon.com/gp/product/0470018267 Wiley Encyclopedia of Forensic Science (Five Volume Set)]
+
|Allan Jamieson (Ed) and Andre Moenssens (Ed)
+
|0470018267
+
|Wiley
+
|Jun 29, 2009
+
|-
+
|}
+
  
=Books about computer forensics=
+
'''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file system]]s.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%"|Title
+
! width="20%"|Author
+
! width="10%"|ISBN
+
! width="20%"|Publisher
+
! width="10%"|Publication Date
+
! width="10%"|Comment
+
|-
+
|[http://www.awprofessional.com/title/0321268172 File System Forensic Analysis]
+
|[[Brian Carrier]]
+
|0321268172
+
|Addison-Wesley
+
|Mar 27, 2005
+
|(Highly recommended)
+
|-
+
|[http://www.amazon.com/gp/product/020163497X Forensic Discovery]
+
|Dan Farmer and Wietse Venema
+
|0321703251
+
|Addison-Wesley
+
|Dec 28, 2009
+
|[http://www.porcupine.org/forensics/forensic-discovery/ HTML version] of the book is freely available online.
+
|-
+
|[http://www.amazon.com/gp/product/0121631044 Digital Evidence and Computer Crime] Second Edition
+
|Eoghan Casey
+
|0121631044
+
|Academic Press
+
|Mar 22, 2004
+
|-
+
|[http://www.amazon.com/gp/product/0123742676 Handbook of Digital Forensics and Investigation]
+
|Eoghan Casey
+
|0123742676
+
|Academic Press
+
|Nov 09, 2009
+
|-
+
|[http://books.mcgraw-hill.com/getbook.php?isbn=007222696X Incident Response & Computer Forensics, Second Edition]
+
|Kevin Mandia, Chris Prosise & Matt Pepe
+
|007222696X
+
|McGraw-Hill/Osborne
+
|Jul 17, 2003
+
|-
+
|[http://www.awprofessional.com/bookstore/product.asp?isbn=0321200985&rl=1 Windows Forensics and Incident Recovery]
+
|[[Harlan Carvey]]
+
|0321200985
+
|Addison Wesley Professional
+
|Jul 21, 2004
+
|-
+
|[http://www.ncjrs.gov/pdffiles1/nij/199408.pdf Forensic Examination of Digital Evidence: A Guide for Law Enforcement]
+
|NCJ 199408
+
|
+
|National Institute of Justice
+
|April 2004
+
|Special Report
+
|-
+
|[http://www.ncjrs.gov/pdffiles1/nij/187736.pdf Electronic Crime Scene Investigation: A Guide for First Responders]
+
|NCJ 187736
+
|
+
|National Institute of Justice
+
|July 2001
+
|NIJ Guide
+
|-
+
|[http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=2218&parent_id=411&pc= Investigating Computer-Related Crime]
+
|Peter Stephenson
+
|0849322189
+
|CRC Press
+
|Sep 28, 1999
+
|-
+
|[http://www.crcpress.com/shopping_cart/products/product_detail.asp?id=&parent_id=411&sku=AU2433&pc= Investigator's Guide to Steganography]
+
|Gregory Kipper
+
|0849324335
+
|Auerbach Publications
+
|Oct 27, 2003
+
|-
+
|[http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=AU0955&parent_id=411&pc= Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes]
+
|Albert J Marcella, Jr. and Robert S Greenfield
+
|0849309557
+
|Auerbach Publications
+
|Jan 23, 2002
+
|-
+
|[http://www.crcpress.com/shopping_cart/products/product_detail.asp?sku=8158&parent_id=411&pc= Investigating Computer Crime]
+
|Franklin Clark and Ken Diliberto
+
|0849381584
+
|CRC Press
+
|Jul 11, 1996
+
|-
+
|[http://www.syngress.com/catalog/?pid=4230 Windows Forensic Analysis]<br>[http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224 Windows Forensic Analysis DVD Toolkit, Second Edition]
+
|[[Harlan Carvey]]
+
|159749156X<br>1597494224
+
|Syngress (Elsevier)
+
|May 21, 2007<br>Jun 11, 2009
+
|-
+
|[http://www.syngress.com/catalog/?pid=4220 CD and DVD Forensics]
+
|[[Paul Crowley]] and [[Dave Kleiman]](Technical Editor)
+
|1597491284
+
|Syngress
+
|Nov 8, 2006
+
|-
+
|[http://www.sybex.com/WileyCDA/SybexTitle/productCd-0470097620.html Mastering Windows Network Forensics and Investigation]
+
|Steven Anson and Steve Bunting
+
|9780470097625
+
|Sybex
+
|April 2007
+
|-
+
|[http://www.amazon.com/gp/product/0596153589 iPhone Forensics]
+
|Jonathan Zdziarski
+
|0596153589
+
|O'Reilly
+
|Sep 12, 2008
+
|-
+
|[http://www.amazon.com/gp/product/1597492973 Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit]
+
|Ryan R. Kubasiak, Sean Morrissey and Jesse Varsalone (Tech. Ed.)
+
|1597492973
+
|Syngress
+
|Dec 08, 2008
+
|-
+
|}
+
  
=Books in other languages=
+
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
 +
 +
=Features=
  
=== German ===
+
The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%"|Title
+
! width="20%"|Author
+
! width="10%"|ISBN
+
! width="20%"|Publisher
+
! width="10%"|Publication Date
+
! width="10%"|Comment
+
|-
+
|[http://www.dpunkt.de/buecher/3-89864-379-4.html Computer-Forensik], 2nd edition
+
|Alexander Geschonneck
+
|3898643794
+
|
+
|2006
+
|[http://www.computer-forensik.org/ Errata] and blog of the author
+
|-
+
|}
+
  
=== Italian ===
+
Some of the commands in Sleuth Kit are:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%"|Title
+
! width="20%"|Author
+
! width="10%"|ISBN
+
! width="20%"|Publisher
+
! width="10%"|Publication Date
+
! width="10%"|Comment
+
|-
+
|[http://www.apogeonline.com/libri/88-503-2593-2/scheda Computer Forensics] 1st edition
+
|Andrea Ghirardini and Gabriele Faggioli
+
|8850325932
+
|Apoge
+
|May 17, 2007
+
|EAN 9788850325931
+
|-
+
|}
+
  
=== Portuguese ===
+
; dcat
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
: Views the contents of a [[block]].
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%"|Title
+
! width="20%"|Author
+
! width="10%"|ISBN
+
! width="20%"|Publisher
+
! width="10%"|Publication Date
+
! width="10%"|Comment
+
|-
+
|[http://www.brasport.com.br/index.php?Escolha=8&Livro=L00194 Perícia Forense Aplicada à Informática] 1st edition
+
|Andrey Rodrigues de Freitas
+
|8574522260
+
|Brasport
+
|2006
+
|-
+
|}
+
  
=== Russian ===
+
; dls
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
|- style="background:#bfbfbf; font-weight: bold"
+
 
! width="30%"|Title
+
; dcalc
! width="20%"|Author
+
: Tells you where an unallocated blocks are.
! width="10%"|ISBN
+
 
! width="20%"|Publisher
+
; dstat
! width="10%"|Publication Date
+
: Details about a given block.
! width="10%"|Comment
+
 
|-
+
; icat
|[http://forensics.ru/ Форензика – компьютерная криминалистика]
+
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
|N. N. Fedotov
+
 
|
+
; ils
|
+
: Lists the files extents on a disk.
|
+
 
|-
+
; istat
|}
+
: Information about an inode number.
 +
 
 +
==File Systems Understood==
 +
 
 +
* [[NTFS]]
 +
* [[FAT]]
 +
* [[EXT2]], [[EXT3]]
 +
* [[UFS1]], [[UFS2]]
 +
 +
==File Search Facilities==
 +
 
 +
* Lists allocated and unallocated files.
 +
* Lists and sorts by file type.
 +
* Shows a time time of creation and change.
 +
 +
==Historical Reconstruction==
 +
 +
==Searching Abilities==
 +
 +
* Searches for keywords.
 +
* Builds an index.
 +
 
 +
==Hash Databases==
 +
 
 +
* Uses [[MD5]] or [[SHA1]].
 +
* Interfaces with [[NIST NSRL]], [[Hashkeeper]] and customer databases.
 +
 +
==Evidence Collection Features==
 +
 +
* Tracks forensic activity.
 +
 
 +
=History=
 +
 
 +
==License Notes==
 +
 
 +
Is it commercial or open source? Are there other licensing options?
 +
 
 +
= External Links =
 +
 
 +
* [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]
 +
 +
==External Reviews==

Revision as of 18:50, 15 May 2006

The Sleuth Kit
Maintainer: Brian Carrier
OS: Linux,FreeBSD,OpenBSD,Mac OS X,SunOS
Genre: Disk file systems
License: IBM Open Source License,Common Public License,GPL
Website: sleuthkit.org

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS1, and UFS2 file systems.

Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.

Contents

Features

The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Some of the commands in Sleuth Kit are:

dcat
Views the contents of a block.
dls
Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
dcalc
Tells you where an unallocated blocks are.
dstat
Details about a given block.
icat
View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
ils
Lists the files extents on a disk.
istat
Information about an inode number.

File Systems Understood

File Search Facilities

  • Lists allocated and unallocated files.
  • Lists and sorts by file type.
  • Shows a time time of creation and change.

Historical Reconstruction

Searching Abilities

  • Searches for keywords.
  • Builds an index.

Hash Databases

Evidence Collection Features

  • Tracks forensic activity.

History

License Notes

Is it commercial or open source? Are there other licensing options?

External Links

External Reviews