The sleuth kit tools

Found an improvement? Help the community by submitting an update. This tool is categorized as a Linux forensic investigation tool , digital forensics tool , and file system forensics tool. LSE is the place where Linux security experts are trained. With labs, in-depth guides, and a lot of Linux security tools. Home Tools The Sleuth Kit. Why this tool? Features Command line interface. Related tool information Categories This tool is categorized as a Linux forensic investigation tool , digital forensics tool , and file system forensics tool.

Related topics Digital forensics. Other Resources. In some operating systems there are separate structures for the metadata and human interface layers while others combine them. All tools in this layer begin with the letter 'f'. The 'fls' program lists file and directory names. This tool will display the names of deleted files as well. The 'ffind' program will identify the name of the file that has allocated a given metadata structure.

With some file systems, deleted files will be identified. Time lines are useful to quickly get a picture of file activity. The mactime TCT program takes as input the 'body' file that was generated by fls and ils. To get data on allocated and unallocated file names, use 'fls -rm dir' and for unallocated inodes use 'ils -m'. Note that the behavior of these tools are different than in TCT. Hash databases are used to quickly identify if a file is known.

The MD5 or SHA-1 hash of a file is taken and a database is used to identify if it has been seen before. This allows identification to occur even if a file has been renamed. The Sleuth Kit includes the 'md5' and 'sha1' tools to generate hashes of files and other data. Also included is the 'hfind' tool. The 'hfind' tool allows one to create an index of a hash database and perform quick lookups using a binary search algorithm. Different types of files typically have different internal structure.

This is used to identify the type of file or other data regardless of its name and extension. It can even be used on a given data unit to help identify what file used that unit for storage. Note that the 'file' command typically uses data in the first bytes of a file so it may not be able to identify a file type based on the middle blocks or clusters.

The 'sorter' program in The Sleuth Kit will use other Sleuth Kit tools to sort the files in a file system image into categories. The categories are based on rule sets in configuration files. The 'sorter' tool will also use hash databases to flag known bad files and ignore known good files.

There are a variety of licenses used in TSK based on where they were first developed. The licenses are located in the licenses directory. The wiki contains documents that describe the provided tools in more detail. The Sleuth Kit Informer is a newsletter that contains new documentation and articles. Mailing lists exist on SourceForge, for both users and a low-volume announcements list. Skip to content. Star 2k.

Branches Tags. Could not load branches. Could not load tags. Latest commit. Git stats 9, commits. Failed to load latest commit information. View code. File System Layer: A disk contains one or more partitions or slices. Content Layer block : The content layer of a file system contains the actual file content, or data. Metadata Layer inode : The metadata layer describes a file or directory. Human Interface Layer file : The human interface layer allows one to interact with files in a manner that is more convenient than directly with the metadata layer.

Time Line Generation Time lines are useful to quickly get a picture of file activity. Hash Databases Hash databases are used to quickly identify if a file is known.