Repository files navigation

The Sleuth Kit is an open source forensic toolkit for analyzingMicrosoft and UNIX file systems and disks. The Sleuth Kit enablesinvestigators to identify and recover evidence from images acquiredduring incident response or from live systems. The Sleuth Kit isopen source, which allows investigators to verify the actions ofthe tool or customize it to specific needs.

The Sleuth Kit uses code from the file system analysis tools ofThe Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. TheTCT code was modified for platform independence. In addition,support was added for the NTFS (seewiki/ntfs)and FAT (seewiki/fat) file systems. Previously, The Sleuth Kit wascalled The @stake Sleuth Kit (TASK). The Sleuth Kit is now independentof any commercial or academic organizations.

It is recommended that these command line tools can be used withthe Autopsy Forensic Browser. Autopsy, (http://www.sleuthkit.org/autopsy),is a graphical interface to the tools of The Sleuth Kit and automatesmany of the procedures and provides features such as image searchingand MD5 image integrity checks.

As with any investigation tool, any results found with The SleuthKit should be be recreated with a second tool to verify the data.

The Sleuth Kit allows one to analyze a disk or file system imagecreated by 'dd', or a similar application that creates a raw image.These tools are low-level and each performs a single task. Whenused together, they can perform a full analysis. For a more detaileddescription of these tools, refer towiki/filesystem.The tools are briefly described in a file system layered approach. Eachtool name begins with a letter that is assigned to the layer.

A disk contains one or more partitions (or slices). Each of thesepartitions contain a file system. Examples of file systems includethe Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS),File Allocation Table (FAT), and New Technologies File System (NTFS).

The fsstat tool displays file system details in an ASCII format.Examples of data in this display include volume name, last mountingtime, and the details about each "group" in UNIX file systems.

The content layer of a file system contains the actual file content,or data. Data is stored in large chunks, with names such as blocks,fragments, and clusters. All tools in this layer begin with the letters'blk'.

The blkcat tool can be used to display the contents of a specific unit ofthe file system (similar to what 'dd' can do with a few arguments).The unit size is file system dependent. The 'blkls' tool displays thecontents of all unallocated units of a file system, resulting in astream of bytes of deleted content. The output can be searched fordeleted file content. The 'blkcalc' program allows one to identify theunit location in the original image of a unit in the 'blkls' generatedimage.

A new feature of The Sleuth Kit from TCT is the '-l' argument to'blkls' (or 'unrm' in TCT). This argument lists the details for dataunits, similar to the 'ils' command. The 'blkstat' tool displaysthe statistics of a specific data unit (including allocation statusand group number).

The metadata layer describes a file or directory. This layer containsdescriptive data such as dates and size as well as the addresses of thedata units. This layer describes the file in terms that the computercan process efficiently. The structures that the data is stored inhave names such as inode and directory entry. All tools in this layerbegin with an 'i'.

The 'ils' program lists some values of the metadata structures.By default, it will only list the unallocated ones. The 'istat'displays metadata information in an ASCII format about a specificstructure. New to The Sleuth Kit is that 'istat' will display thedestination of symbolic links. The 'icat' function displays thecontents of the data units allocated to the metadata structure(similar to the UNIX cat(1) command). The 'ifind' tool will identifywhich metadata structure has allocated a given content unit orfile name.

Refer to thentfs wikifor information on addressing metadata attributes in NTFS.

The human interface layer allows one to interact with files in amanner that is more convenient than directly with the metadatalayer. In some operating systems there are separate structures forthe metadata and human interface layers while others combine them.All tools in this layer begin with the letter 'f'.

The 'fls' program lists file and directory names. This tool willdisplay the names of deleted files as well. The 'ffind' program willidentify the name of the file that has allocated a given metadatastructure. With some file systems, deleted files will be identified.

Time lines are useful to quickly get a picture of file activity.Using The Sleuth Kit a time line of file MAC times can be easilymade. The mactime (TCT) program takes as input the 'body' filethat was generated by fls and ils. To get data on allocated andunallocated file names, use 'fls -rm dir' and for unallocated inodesuse 'ils -m'. Note that the behavior of these tools are differentthan in TCT. For more information, refer towiki/mactime.

Hash databases are used to quickly identify if a file is known. TheMD5 or SHA-1 hash of a file is taken and a database is used to identifyif it has been seen before. This allows identification to occur evenif a file has been renamed.

The Sleuth Kit includes the 'md5' and 'sha1' tools to generatehashes of files and other data.

Also included is the 'hfind' tool. The 'hfind' tool allows one to createan index of a hash database and perform quick lookups using a binarysearch algorithm. The 'hfind' tool can perform lookups on the NISTNational Software Reference Library (NSRL) (www.nsrl.nist.gov) andfiles created from the 'md5' or 'md5sum' command. Refer to thewiki/hfind file for more details.

Different types of files typically have different internal structure.The 'file' command comes with most versions of UNIX and a copy isalso distributed with The Sleuth Kit. This is used to identifythe type of file or other data regardless of its name and extension.It can even be used on a given data unit to help identify what fileused that unit for storage. Note that the 'file' command typicallyuses data in the first bytes of a file so it may not be able toidentify a file type based on the middle blocks or clusters.

The 'sorter' program in The Sleuth Kit will use other Sleuth Kittools to sort the files in a file system image into categories.The categories are based on rule sets in configuration files. The'sorter' tool will also use hash databases to flag known bad filesand ignore known good files. Refer to thewiki/sorterfile for more details.

There are a variety of licenses used in TSK based on where theywere first developed. The licenses are located in thelicensesdirectory.

• The file system tools (in thetools/fstoolsdirectory) are released under the IBM open source license and CommonPublic License.
• srch_strings and fiwalk are released under the GNU Public License
• Other tools in the tools directory are Common Public License
• The modifications to 'mactime' from the original 'mactime' in TCTand 'mac-daddy' are released under the Common Public License.

The library uses utilities that were released under MIT and BSD 3-clause.

For installation instructions, refer to the INSTALL.txt document.

Thewiki contains documents thatdescribe the provided tools in more detail. The Sleuth Kit Informer is a newsletter that containsnew documentation and articles.

www.sleuthkit.org/informer/

Mailing lists exist on SourceForge, for both users and a low-volumeannouncements list.

http://sourceforge.net/mail/?group_id=55685

Brian Carrier

carrier at sleuthkit dot org