The Sleuth Kit (TSK) is a

open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

library A library is a collection of Book, books, and possibly other Document, materials and Media (communication), media, that is accessible for use by its members and members of allied institutions. Libraries provide physical (hard copies) or electron ...

and collection of utilities for

Unix-like A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...

operating systems and

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

that is used for extracting and parsing data from disk drives and other computer data storage devices so as to facilitate the forensic analysis of computer systems. It forms the foundation for

Autopsy An autopsy (also referred to as post-mortem examination, obduction, necropsy, or autopsia cadaverum) is a surgical procedure that consists of a thorough examination of a corpse by dissection to determine the cause, mode, and manner of deat ...

, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit. The software is under active development and it is supported by a team of developers. The initial development was done by Brian Carrier who based it on

The Coroner's Toolkit The Coroner's Toolkit (or TCT) is a suite of free computer security programs by Dan Farmer and Wietse Venema for digital forensic analysis. The suite runs under several Unix-related operating systems: FreeBSD, OpenBSD, BSD/OS, SunOS/Solaris ...

. It is the official successor platform. The Sleuth Kit is capable of parsing

NTFS NT File System (NTFS) (commonly called ''New Technology File System'') is a proprietary journaling file system developed by Microsoft in the 1990s. It was developed to overcome scalability, security and other limitations with File Allocation Tabl ...

FAT In nutrition science, nutrition, biology, and chemistry, fat usually means any ester of fatty acids, or a mixture of such chemical compound, compounds, most commonly those that occur in living beings or in food. The term often refers specif ...

ExFAT exFAT (Extensible File Allocation Table) is a file system optimized for flash memory such as USB flash drives and SD cards, that was introduced by Microsoft in 2006. exFAT was proprietary until 28 August 2019, when Microsoft published its spe ...

, UFS versions 1 and 2,

Ext2 ext2, or second extended file system, is a file system for the Linux kernel (operating system), kernel. It was initially designed by French software developer Rémy Card as a replacement for the extended file system (ext). Having been designed ...

Ext3 ext3, or third extended filesystem, is a journaling file system, journaled file system that is commonly used with the Linux kernel. It used to be the default file system for many popular Linux distributions but generally has been supplanted by ...

Ext4 ext4 (fourth extended filesystem) is a journaling file system for Linux, developed as the successor to ext3. ext4 was initially a series of backward-compatible extensions to ext3, many of them originally developed by Cluster File Systems for ...

HFS HFS may refer to: Businesses and organisations * Croatian Film Association () * Hellenic Fire Service, Greece * Hospitality Franchise Systems, US Computing * Hierarchical file system, a system for organizing directories and files * Hierarchica ...

ISO 9660 ISO 9660 (also known as ECMA-119) is a file system for optical disc media. The file system is an international standard available from the International Organization for Standardization (ISO). Since the specification is publicly available, im ...

and YAFFS2 file systems either on disk or within whole disk or

disk partition Disk partitioning or disk slicing is the creation of one or more regions on Computer data storage#Secondary storage, secondary storage, so that each region can be managed separately. These regions are called partitions. It is typically the first ...

images stored in raw form (as can be obtained with dd), or Expert Witness or AFF formats. The Sleuth Kit can be used to examine the contents of most computers that run

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

macOS macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

, or

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

and some other computers which run derivatives of

Unix Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...

such as the

BSDs There are a number of Unix-like operating systems under active development, descended from the Berkeley Software Distribution (BSD) series of UNIX variants developed (originally by Bill Joy) at the University of California, Berkeley, Department o ...

Solaris Solaris is the Latin word for sun. It may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Sol ...

. The Sleuth Kit can be used via the included command line tools, or as a library embedded within a separate digital forensic tool such as

or log2timeline/plaso.

Tools

Some of the tools included in The Sleuth Kit include: * ils lists filesystem metadata entries, such as Inodes. * blkls displays data blocks within a file system (formerly called dls). * fls lists file names (including names corresponding to hidden or deleted files that have not yet been overwritten) within a file system. * fsstat displays statistical information about a file system. * ffind searches for file names that point to a specified metadata entry. * mactime creates a timeline of all files based upon their MAC times. * disk_stat (currently Linux-only) discovers the existence of a

Host Protected Area The host protected area (HPA) is an area of a hard drive or solid-state drive that is not normally visible to an operating system. It was first introduced in the ATA-4 standard CXV (T13) in 2001. How it works The IDE controller has registers ...

Applications

The Sleuth Kit can be used * for use in forensics, its main purpose * for understanding what data is stored on a disk drive, even if the operating system has removed all metadata. * for recovering deleted image files * summarizing all deleted files * search for files by name or included keyword * for use by future historians dealing with computer storage devices

References

External links

* Computer forensics Free security software Unix security-related software Hard disk software Digital forensics software {{free-software-stub

Tools

Applications

See also

References

External links