Security

The Sleuth Kit – analyze disk images and recover files

The Sleuth Kit (TSK) is a library and collection of command line file and volume system forensic analysis tools that allow you to investigate and analyze volume and file system data. With this software, investigators can identify and recover evidence from images acquired during incident response or from live systems. The software is open source, which allows investigators to verify the actions of the tool or customize it to specific needs.

The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

The volume system (media management) tools allow you to examine the layout of disks and other media. TSK supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks. With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.

TSK allows users to analyze a disk or file system image created by ‘dd’, or a similar application that creates a raw image. These tools are low-level and each performs a single task. When used together, they can perform a full analysis.

TSK is based on The Coroner’s Toolkit.

Features include:

  • Analyzes raw (i.e. dd), Expert Witness (i.e. EnCase) and AFF file system and disk images.
  • Supports the NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660 file systems
  • Tools can be run on a live system during Incident Response. These tools will show files that have been “hidden” by rootkits and will not modify the A-Time of files that are viewed.
  • List allocated and deleted ASCII and Unicode file names.
  • Display the details and contents of all NTFS attributes (including all Alternate Data Streams).
  • Display file system and meta-data structure details.
  • Create time lines of file activity, which can be imported into a spread sheet to create graphs and reports.
  • Lookup file hashes in a hash database, such as the NIST NSRL, Hash Keeper, and custom databases that have been created with the ‘md5sum’ tool.
  • Organize files based on their type (for example all executables, jpegs, and documents are separated). Pages of thumbnails can be made of graphic images for quick analysis.
  • ‘md5’ and ‘sha1’ tools to generate hashes of files and other data.
  • hfind creates an index of a hash database and perform quick lookups using a binary search algorithm.
  • ils lists all metadata entries, such as an Inode.
  • blkls displays data blocks within a file system (formerly called dls).
  • fls lists allocated and unallocated file names within a file system.
  • fsstat displays file system statistical information about an image or storage medium.
  • ffind searches for file names that point to a specified metadata entry.
  • mactime creates a timeline of all files based upon their MAC times.
  • disk_stat discovers the existence of a Host Protected Area.

Website: www.sleuthkit.org
Support:
Developer: Brian Carrier
License: IBM Public License, Common Public License, GNU General Public License v2.0

The Sleuth Kit

TSK is written in C, C++, and Java. Learn C with our recommended free books and free tutorials. Learn C++ with our recommended free books and free tutorials. Learn Java with our recommended free books and free tutorials.

Return to Digital Forensics


Popular series
Free and Open Source SoftwareThe largest compilation of the best free and open source software in the universe. Each article is supplied with a legendary ratings chart helping you to make informed decisions.
ReviewsHundreds of in-depth reviews offering our unbiased and expert opinion on software. We offer helpful and impartial information.
The Big List of Active Linux Distros is a large compilation of actively developed Linux distributions.
Alternatives to Proprietary SoftwareReplace proprietary software with open source alternatives: Google, Microsoft, Apple, Adobe, IBM, Autodesk, Oracle, Atlassian, Corel, Cisco, Intuit, and SAS.
GamesAwesome Free Linux Games Tools showcases a series of tools that making gaming on Linux a more pleasurable experience. This is a new series.
Artificial intelligence iconMachine Learning explores practical applications of machine learning and deep learning from a Linux perspective. We've written reviews of more than 40 self-hosted apps. All are free and open source.
Guide to LinuxNew to Linux? Read our Linux for Starters series. We start right at the basics and teach you everything you need to know to get started with Linux.
Alternatives to popular CLI tools showcases essential tools that are modern replacements for core Linux utilities.
System ToolsEssential Linux system tools focuses on small, indispensable utilities, useful for system administrators as well as regular users.
ProductivityLinux utilities to maximise your productivity. Small, indispensable tools, useful for anyone running a Linux machine.
AudioSurveys popular streaming services from a Linux perspective: Amazon Music Unlimited, Myuzi, Spotify, Deezer, Tidal.
Saving Money with LinuxSaving Money with Linux looks at how you can reduce your energy bills running Linux.
Home ComputersHome computers became commonplace in the 1980s. Emulate home computers including the Commodore 64, Amiga, Atari ST, ZX81, Amstrad CPC, and ZX Spectrum.
Now and ThenNow and Then examines how promising open source software fared over the years. It can be a bumpy ride.
Linux at HomeLinux at Home looks at a range of home activities where Linux can play its part, making the most of our time at home, keeping active and engaged.
Linux CandyLinux Candy reveals the lighter side of Linux. Have some fun and escape from the daily drudgery.
DockerGetting Started with Docker helps you master Docker, a set of platform as a service products that delivers software in packages called containers.
Android AppsBest Free Android Apps. We showcase free Android apps that are definitely worth downloading. There's a strict eligibility criteria for inclusion in this series.
Programming BooksThese best free books accelerate your learning of every programming language. Learn a new language today!
Programming TutorialsThese free tutorials offer the perfect tonic to our free programming books series.
Linux Around The WorldLinux Around The World showcases usergroups that are relevant to Linux enthusiasts. Great ways to meet up with fellow enthusiasts.
Stars and StripesStars and Stripes is an occasional series looking at the impact of Linux in the USA.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Please read our Comment FAQ before posting a comment.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments