|
|
| Line 1: |
Line 1: |
| − | '''The Sleuth Kit''' (TSK) is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file system]]s.
| + | = Software Vendors = |
| | | | |
| − | [[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools. | + | ; [[X-Ways Software]] |
| | + | : http://www.x-ways.net/ |
| | | | |
| − |
| + | ; [[Tech Assist, Inc.]] |
| − | =Features=
| + | : http://www.toolsthxxxatwork.com/ |
| | | | |
| − | The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
| + | = Hardware Vendors = |
| | | | |
| − | Some of the commands in Sleuth Kit are:
| + | ; [[ForensicPC]] |
| | + | : http://www.forensxxxxicpc.com/ |
| | + | : Various [[Write Blockers]], [[forensic field kit]]s, forensics software, etc. |
| | | | |
| − | ; dcat | + | ; [[Wiebetech]] |
| − | : Views the contents of a [[block]]. | + | : http://wiebexxxxtech.com/ |
| | + | : Various [[Write Blockers]], [[forensic field kit]]s, etc. |
| | | | |
| − | ; dls
| + | = Training = |
| − | : Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
| + | |
| − | | + | |
| − | ; dcalc
| + | |
| − | : Tells you where an unallocated blocks are.
| + | |
| − | | + | |
| − | ; dstat
| + | |
| − | : Details about a given block.
| + | |
| − | | + | |
| − | ; icat
| + | |
| − | : View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
| + | |
| − | | + | |
| − | ; ils
| + | |
| − | : Lists the files extents on a disk.
| + | |
| − | | + | |
| − | ; istat
| + | |
| − | : Information about an inode number.
| + | |
| − | | + | |
| − | ==File Systems Understood==
| + | |
| − | | + | |
| − | * NTFS
| + | |
| − | * FAT
| + | |
| − | * EXT2, EXT3
| + | |
| − | * UFS1, UFS2
| + | |
| − |
| + | |
| − | ==File Search Facilities==
| + | |
| − | | + | |
| − | * Lists allocated and unallocated files.
| + | |
| − | * Lists and sorts by file type.
| + | |
| − | * Shows a time time of creation and change.
| + | |
| − |
| + | |
| − | ==Historical Reconstruction==
| + | |
| − |
| + | |
| − | ==Searching Abilities==
| + | |
| − |
| + | |
| − | * Searches for keywords.
| + | |
| − | * Builds an index.
| + | |
| − | | + | |
| − | ==Hash Databases==
| + | |
| − | | + | |
| − | * Uses [[MD5]] or [[SHA1]].
| + | |
| − | * Interfaces with [[NIST NSRL]], [[Hashkeeper]] and customer databases.
| + | |
| − |
| + | |
| − | ==Evidence Collection Features==
| + | |
| − |
| + | |
| − | * Tracks forensic activity.
| + | |
| − | | + | |
| − | =History=
| + | |
| − | | + | |
| − | ==License Notes==
| + | |
| − | | + | |
| − | Is it commercial or open source? Are there other licensing options?
| + | |
| − | | + | |
| − | = External Links =
| + | |
| − | | + | |
| − | * [http://www.sleuthkit.org Official website]
| + | |
| − | * [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]
| + | |
| − |
| + | |
| − | ==External Reviews==
| + | |
