Difference between revisions of "The Sleuth Kit"
From Forensics Wiki
Uwe Hermann (Talk | contribs) m (Sleuthkit moved to The Sleuth Kit: Move to full name.) |
m (some corrections) |
||
| (One intermediate revision by one user not shown) | |||
| Line 3: | Line 3: | ||
maintainer = [[Brian Carrier]] | | maintainer = [[Brian Carrier]] | | ||
os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} | | os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} | | ||
| − | genre = {{ | + | genre = {{Analysis}} | |
license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} | | license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} | | ||
website = [http://www.sleuthkit.org/ sleuthkit.org] | | website = [http://www.sleuthkit.org/ sleuthkit.org] | | ||
}} | }} | ||
| − | '''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[ | + | '''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]] (12/16/32), [[Ext2]]/[[Ext3|3]], [[NTFS]], [[Ufs|UFS]] (1 & 2), and ISO 9660 [[file system]]s. |
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools. | [[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools. | ||
| Line 43: | Line 43: | ||
* [[NTFS]] | * [[NTFS]] | ||
* [[FAT]] | * [[FAT]] | ||
| − | * [[ | + | * [[Ext2]], [[Ext3]] |
| − | * [[ | + | * [[Ufs|UFS]] (1 & 2) |
| + | * ISO 9660 | ||
==File Search Facilities== | ==File Search Facilities== | ||
| Line 50: | Line 51: | ||
* Lists allocated and unallocated files. | * Lists allocated and unallocated files. | ||
* Lists and sorts by file type. | * Lists and sorts by file type. | ||
| − | * Shows a | + | * Shows a time of creation and change. |
==Historical Reconstruction== | ==Historical Reconstruction== | ||
| Line 61: | Line 62: | ||
==Hash Databases== | ==Hash Databases== | ||
| − | * Uses [[MD5]] or [[ | + | * Uses [[MD5]] or [[SHA-1]]. |
| − | * Interfaces with [[ | + | * Interfaces with NIST [[NSRL]], [[Hashkeeper]] and customer databases. |
==Evidence Collection Features== | ==Evidence Collection Features== | ||
Revision as of 03:24, 3 October 2008
| The Sleuth Kit | |
|---|---|
| Maintainer: | Brian Carrier |
| OS: | Linux,FreeBSD,OpenBSD,Mac OS X,SunOS |
| Genre: | Analysis |
| License: | IBM Open Source License,Common Public License,GPL |
| Website: | sleuthkit.org |
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT (12/16/32), Ext2/3, NTFS, UFS (1 & 2), and ISO 9660 file systems.
Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.
Contents |
Features
The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.
Some of the commands in Sleuth Kit are:
- dcat
- Views the contents of a block.
- dls
- Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
- dcalc
- Tells you where an unallocated blocks are.
- dstat
- Details about a given block.
- icat
- View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
- ils
- Lists the files extents on a disk.
- istat
- Information about an inode number.
File Systems Understood
File Search Facilities
- Lists allocated and unallocated files.
- Lists and sorts by file type.
- Shows a time of creation and change.
Historical Reconstruction
Searching Abilities
- Searches for keywords.
- Builds an index.
Hash Databases
- Uses MD5 or SHA-1.
- Interfaces with NIST NSRL, Hashkeeper and customer databases.
Evidence Collection Features
- Tracks forensic activity.
History
License Notes
Is it commercial or open source? Are there other licensing options?
