The Sleuth Kit
| The Sleuth Kit
|
|
|---|---|
 Output of a small image analysis with Sleuthkit |
|
| Basic data
|
|
| Maintainer | Brian Carrier |
| developer | Brian Carrier |
| Current version | 4.7.0 (October 14, 2019) |
| operating system | Linux , Unix , Mac OS X , Windows |
| programming language | C , pearl |
| category | Forensic software |
| License | License terms |
| German speaking | No |
| sleuthkit.org | |
The Sleuth Kit is a forensic software collection for the command line of information technology systems . With the help of this it is possible to obtain a wide variety of information about a computer system or a memory image (e.g. in the course of a manual forensic analysis ). A manual analysis or partial analysis of data usually provides precise information about the use of the systems and the information they contain.
It is possible to automate individual examination steps together in scripts. This enables targeted and accelerated use for the examination. This functionality is also used in the graphical user interface, the so-called Autopsy Forensic Browser .
Sleuth Kit supports the following file systems : NTFS , FAT , UFS 1 , UFS 2 , Ext2 , Ext3 , Ext4 , HFS , YAFFS2 and ISO 9660 .
The individual tools
The Sleuth Kit collection contains a large number of thematically different individual programs.
File system level
- fsstat shows details about the file system being scanned . This includes size information, layout and descriptions.
Filename level
- ffind examines the file structures and finds allocated and unallocated file names that refer to metadata structures.
- fls lists allocated and deleted files within a given directory.
Metadata level
- icat enables data units from a file to be extracted using their metadata addresses .
- ifind finds the corresponding metadata for a given file name or the metadata that refer to a specific data unit.
- ils lists the metadata structures and their content.
- istat lists statistics and details on a given metadata structure.
Data unit level
- blkcat extracts the content of a specific data unit.
- blkls can list details of data units and extract the unallocated space of a file system.
- blkstat displays statistics for a given data unit.
- blkcalc calculates the location where data can be found on the original data carrier that was found on the image in the unallocated storage area.
File system journal level
- jcat displays the contents of a given journal block.
- jls lists the entries in the file system journal .
- mmls shows the layout of a file system. It also lists unallocated memory areas and provides information about the types, positions and sizes of the partitions.
Memory dump
- img_stat shows details about the file system image.
- img_cat shows the raw data of the file system image.
Others
- mactime creates a timeline from the output of ils and fls .
- sorter sorts files based on their file types and checks their file extensions and performs hash database comparisons.
- sigfind searches for binary values in a file structure.
credentials
- ↑ Version history of the software
- ↑ The sleuthkit Open Source Project on Open Hub: Languages Page . In: Open Hub . (accessed on September 3, 2018).
- ↑ www.sleuthkit.org . In: Open Hub . (accessed November 7, 2018).
- ↑ Functionality / feature list
Web links
- Official project website (English)