24/7 Customer Support
13Jun 2017

0

1114

0

Sleuth Kit

Sleuth Kit

The Sleuth Kit is a C library forensic analysis tool and a collection command line tool. This kit will let you examine your suspect computer file system in a non-intrusive manner. These tools are not dependent on the operating system to process, delete and hide the content of the file systems. It is compatible with the Windows and Unix platforms. Through the sleuth kit volume system tools, you can examine the layout disks and other media. It also supports the following:

DOS partitions,

BSD partitions (disk labels),

Mac partitions,

Sun slices (Volume Table of Contents), and

GPT disks.

Examination, Identification, and partition are located and extracted with the help of the file system analysis tools. As we know, command line tools become tedious when you are performing a complete analysis of a system, but it will not happen in the case Sleuth kit. The sleuth kit consists of an Autopsy, which is a graphical interface that allows you to do investigation more easily. Moreover, it can also provide the following:

  • Case management
  • Image integrity
  • Keyword searching and other automated operations

Apart from the file and the volume system analysis, you need more. Though, a single tool can provide support for all the file types and analysis techniques.  The TSK Framework allows you to easily incorporate file analysis modules which are specially written by the developers If you are developing a tool, consider incorporating in the framework or developing your analysis technique as a module into the framework.

Input Data

Analyzes raw (i.e. DD), Expert Witness (i.e. EnCase) and AFF file system and disk images. (Sleuth Kit Informer #11)

Supports the NTFS, FAT, ExFAT, UFS 1, UFS 2, EXT2FS, EXT3FS, Ext4, HFS, ISO 9660, and YAFFS2 file systems (even when the host operating system does not or has a different ending ordering).

Tools can be run on a live Windows or UNIX system during Incident Response. These tools will show files that have been “hidden” by root kits and will not modify the A-Time of files that are viewed. (Sleuth Kit Informer #13)

Search Techniques

List allocated and deleted ASCII and Unicode filenames. (Sleuth Kit Informer #14 (FAT Recovery), #16 (NTFS Orphan Files))

Display the details and contents of all NTFS attributes (including all Alternate Data Streams).

Display file system and meta-data structure details.

Create timelines of file activity, which can be imported into a spreadsheet to create graphs and reports. (Sleuth Kit Informer #5)

Lookup file hashes in a hash database, such as the NIST NSRL, Hash Keeper, and custom databases that have been created by the ‘md5sum’ tool.

Organize files based on their type Pages of thumbnails can be made of graphic images for quick analysis. (Sleuth Kit Informer #3, #4, #5)

The Sleuth Kit is written in C and Perl and uses some code and design from The Coroner’s Toolkit (TCT). The Sleuth Kit has been tested on:

Linux

Mac OS X

Windows (Visual Studio and mingw)

CYGWIN

Open & FreeBSD

Solaris

 

Comments (0)