The Sleuth Kit
 | |
| Original author(s) | Brian Carrier |
|---|---|
| Stable release | 4.0.1 / November 13, 2012 |
| Written in | C, Perl |
| Operating system | Unix-like, Windows |
| Type | Computer forensics |
| License | IPL, CPL, GPL |
| Website | http://www.sleuthkit.org/ |
The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based tools and utilities to allow for the forensic analysis of computer systems. It was written and maintained by digital investigator Brian Carrier. TSK can be used to perform investigations and data extraction from images of Windows, Linux and Unix computers. The Sleuth Kit is normally used in conjunction with its custom front-end application, Autopsy, to provide a user friendly interface. Several other tools also use TSK for file extraction.
The Sleuth Kit is a free, open source suite that provides a large number of specialized command-line based utilities.
It is based on The Coroner's Toolkit, and is the official successor platform.[1]
Tools
Some of the tools included in The Sleuth Kit include:
- ils lists all metadata entries, such as an Inode.
- blkls displays data blocks within a file system (formerly called dls).
- fls lists allocated and unallocated file names within a file system.
- fsstat displays file system statistical information about an image or storage medium.
- ffind searches for file names that point to a specified metadata entry.
- mactime creates a timeline of all files based upon their MAC times.
- disk_stat (currently Linux-only) discovers the existence of a Host Protected Area.
See also
- Selective file dumper
- The Coroner's Toolkit
- Autopsy (software)—A graphical user interface wrapped around The Sleuth Kit.