The Sleuth Kit

The Sleuth Kit is a forensic software collection for the command line of information systems. By this it is possible to obtain a variety of information on a computer system or a memory map (eg as part of a manual forensic analysis). An analysis carried out manually or partial analysis of data usually brings accurate information about the use of the systems and the information contained therein.

It is possible to automate individual examination steps together in scripts. This targeted and accelerated use to study possible. This functionality is also used in the graphical user interface, called the Autopsy Forensic Browser.

Sleuth Kit supports the following file systems: NTFS, FAT, UFS 1, UFS 2, Ext2, Ext3, HFS and ISO 9660th

The individual tools

The Sleuth Kit collection a number of thematically different individual programs are included.

File system level

  • Fsstat shows details of the examined file system. These include size specifications, layout and names.

Filename level

  • Ffind examines the file structures and finds Unallocated and un - allocated multidimensional file names which refer to metadata structures.
  • Fls lists Unallocated and deleted files within a given directory.

Metadata layer

  • Icat allows data units of a file to extract metadata based on their addresses.
  • Ifind to find a given file name the appropriate metadata or the metadata that refer to a specific data unit.
  • Ils lists the metadata structures and their contents.
  • Istat lists statistics and details about a given metadata structure.

Data unit level

  • Blkcat extracts the contents of a particular data unit.
  • Blkls can list details of data units and extract the un - allocated space on a file system.
  • Blkstat shows statistics for a given data unit.
  • Blkcalc calculates the place where data can be found on the original media that were found in the image in the un - allocated memory area.

File system journaling level

  • Jcat displays the contents of a given journal block.
  • Jls lists the entries in the file system journal.
  • Mmls shows the layout of a file system. It lists it also unallocated storage areas and provides information about the types, locations and sizes of the partitions.

Dump

  • Img_stat displays details about the file system image.
  • Img_cat shows the raw data of the file system image.

Others

  • Mactime created a timeline of the expenditure of ils and fls.
  • Sorter sort files based on their file types, and checks the file extension and leads Hashdatenbankvergleiche by.
  • Sigfind investigated binary values ​​in a file structure.

Credentials

Software maintainer
92118
de