The Sleuth Kit
The Sleuth Kit (TSK) is a library and collection of command
line file and volume system forensic analysis tools that allow you to
investigate and analyze volume and file system data. With this
software,
investigators can identify and recover evidence from images
acquired during incident response or from live systems. The
software is open source, which allows investigators to verify the
actions of the tool or customize it to specific needs.
The library can be incorporated into larger digital forensics
tools and the command line tools can be directly used to find evidence.
The volume system (media management) tools allow you to
examine the layout of disks and other media. TSK supports
DOS partitions, BSD partitions (disk labels), Mac partitions, Sun
slices (Volume Table of Contents), and GPT disks. With these tools, you
can identify where partitions are located and extract them so that they
can be analyzed with file system analysis tools.
TSK allows users to analyze a disk or file system
image created by 'dd', or a similar application that creates a raw
image. These tools are low-level and each performs a single task. When
used together, they can perform a full analysis.
TSK is based on The Coroner's Toolkit.
Features include:
- Analyzes raw (i.e. dd), Expert Witness (i.e. EnCase) and
AFF file system and disk images
- Supports the NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and
ISO 9660 file systems
- Tools can be run on a live system during Incident Response.
These tools will show files that have been "hidden" by rootkits and
will not modify the A-Time of files that are viewed
- List allocated and deleted ASCII and Unicode file names
- Display the details and contents of all NTFS attributes
(including all Alternate Data Streams)
- Display file system and meta-data structure details
- Create time lines of file activity, which can be imported
into a spread sheet to create graphs and reports
- Lookup file hashes in a hash database, such as the NIST
NSRL, Hash Keeper, and custom databases that have been created with the
'md5sum' tool
- Organize files based on their type (for example all
executables, jpegs, and documents are separated). Pages of thumbnails
can be made of graphic images for quick analysis
- 'md5' and 'sha1' tools to generate hashes of
files and other data
- hfind creates an index of a hash
database and perform quick lookups using a binary search algorithm
- ils lists all metadata entries, such as an Inode
- blkls displays data blocks within a file system (formerly
called dls)
- fls lists allocated and unallocated file names within a
file system
- fsstat displays file system statistical information about
an image or storage medium
- ffind searches for file names that point to a specified
metadata entry
- mactime creates a timeline of all files based upon their
MAC times
- disk_stat discovers the existence of a Host Protected Area
Return
to Digital Forensics Home Page
Last Updated Sunday, February 05 2012 @ 12:36 PM EST
| 
