Difference between pages "Flash IDE Adapters" and "The Sleuth Kit"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
A Flase IDE Adapter allows flash memory to be accessed from a host computer as if it were an IDE drive. This is normally used to allow systems to boot off flash memory, but it can also be used to allow forensic analysis of Flash RAM as if it were a local disk, without going through a flash to USB adapter.
+
'''The Sleuth Kit''' (TSK) is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file systems]].
  
Sources of Flash IDE Adapters:
+
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
* http://www.logicsupply.com/default.php/cPath/47_67
+
 
 +
Sleuth kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
 +
 
 +
Some of the commands in Sleuth Kit are:
 +
 
 +
; dcat
 +
: Views the contents of a [[block]].
 +
 
 +
; dls
 +
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
 +
 
 +
; dcalc
 +
: Tells you where an unallocated blocks are.
 +
 
 +
; dstat
 +
: Details about a given block.
 +
 
 +
; icat
 +
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
 +
 
 +
; ils
 +
: Lists the files extents on a disk.
 +
 
 +
; istat
 +
: Information about an inode number.
 +
 
 +
 +
=Features=
 +
 
 +
==File Systems Understood==
 +
 
 +
 +
==File Search Facilities==
 +
 
 +
 +
 
 +
==Historical Reconstruction==
 +
 +
 
 +
==Searching Abilities==
 +
 +
 
 +
==Hash Databases==
 +
 +
 
 +
==Evidence Collection Features==
 +
 +
 
 +
=History=
 +
 
 +
 +
 
 +
==License Notes==
 +
 
 +
Is it commercial or open source? Are there other licensing options?
 +
 
 +
= External Links =
 +
 +
[http://www.dibsusa.com/ Website}
 +
 
 +
==External Reviews==
 +
 
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.sleuthkit.org The Sleuth Kit] homepage
 +
* [http://www.sleuthkit.org/autopsy/desc.php Autopsy] homepage

Revision as of 13:19, 21 March 2006

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS1, and UFS2 file systems.

Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.

Sleuth kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Some of the commands in Sleuth Kit are:

dcat
Views the contents of a block.
dls
Lists unallocated blocks. Makes keyword searches more efficient. Gets a list of unallocated blocks.
dcalc
Tells you where an unallocated blocks are.
dstat
Details about a given block.
icat
View contents of a file given its inode value or cluster number. Doesn't list directories, lists the contents.
ils
Lists the files extents on a disk.
istat
Information about an inode number.


Features

File Systems Understood

File Search Facilities

Historical Reconstruction

Searching Abilities

Hash Databases

Evidence Collection Features

History

License Notes

Is it commercial or open source? Are there other licensing options?

External Links

[http://www.dibsusa.com/ Website}

External Reviews

External Links