The Sleuth Kit

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "The Sleuth Kit" – news · newspapers · books · scholar · JSTOR (August 2016) (Learn how and when to remove this message)

The Sleuth Kit (TSK) is an open-source library and collection of utilities for Unix-like operating systems and Windows that is used for extracting and parsing data from disk drives and other computer data storage devices so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit.^[1][2]

The software is under active development and it is supported by a team of developers. The initial development was done by Brian Carrier^[3] who based it on The Coroner's Toolkit. It is the official successor platform.^[4]

The Sleuth Kit is capable of parsing NTFS, FAT, ExFAT, UFS versions 1 and 2, Ext2, Ext3, Ext4, HFS, ISO 9660 and YAFFS2 file systems either on disk or within whole disk or disk partition images stored in raw form (as can be obtained with dd), or Expert Witness or AFF formats.^[5] The Sleuth Kit can be used to examine the contents of most computers that run Microsoft Windows, macOS, or Linux and some other computers which run derivatives of Unix such as the BSDs or Solaris.

The Sleuth Kit can be used via the included command line tools, or as a library embedded within a separate digital forensic tool such as Autopsy or log2timeline/plaso.

Some of the tools included in The Sleuth Kit include:^[6]

• ils lists filesystem metadata entries, such as Inodes.
• blkls displays data blocks within a file system (formerly called dls).
• fls lists file names (including names corresponding to hidden or deleted files that have not yet been overwritten) within a file system.
• fsstat displays statistical information about a file system.
• ffind searches for file names that point to a specified metadata entry.
• mactime creates a timeline of all files based upon their MAC times.
• disk_stat (currently Linux-only) discovers the existence of a Host Protected Area.

The Sleuth Kit can be used

• for use in forensics, its main purpose
• for understanding what data is stored on a disk drive, even if the operating system has removed all metadata.
• for recovering deleted image files ^[7]
• summarizing all deleted files^[8]
• search for files by name or included keyword ^[9]
• for use by future historians dealing with computer storage devices

Lua error in mw.title.lua at line 392: bad argument #2 to 'title.new' (unrecognized namespace name 'Portal').

• Autopsy (software) — A graphical user interface to The Sleuth Kit.
• CAINE Linux − Includes The Sleuth Kit

• Lua error in Module:Official_website at line 94: attempt to index field 'wikibase' (a nil value).