Let us Read for you. In all businesses, data plays an important vital role. Hence, the security of your data or information is essential. The solution to protecting your data lies in backing up the server, and conducting periodic server hardening assessment. It keeps an exact copy of each version of a file, each time […]
Let us Read for you.
The Sleuth Kit is a C library forensic analysis tool and a collection command line tool. This kit will let you examine your suspect computer file system in a non-intrusive manner. These tools are not dependent on the operating system to process, delete and hide the content of the file systems. It is compatible with the Windows and Unix platforms. Through the sleuth kit volume system tools, you can examine the layout disks and other media. It also supports the following:
BSD partitions (disk labels),
Sun slices (Volume Table of Contents), and
Examination, Identification, and partition are located and extracted with the help of the file system analysis tools. As we know, command line tools become tedious when you are performing a complete analysis of a system, but it will not happen in the case Sleuth kit. The sleuth kit consists of an Autopsy, which is a graphical interface that allows you to do investigation more easily. Moreover, it can also provide the following:
- Case management
- Image integrity
- Keyword searching and other automated operations
Apart from the file and the volume system analysis, you need more. Though, a single tool can provide support for all the file types and analysis techniques. The TSK Framework allows you to easily incorporate file analysis modules which are specially written by the developers If you are developing a tool, consider incorporating in the framework or developing your analysis technique as a module into the framework.
Analyzes raw (i.e. DD), Expert Witness (i.e. EnCase) and AFF file system and disk images. (Sleuth Kit Informer #11)
Supports the NTFS, FAT, ExFAT, UFS 1, UFS 2, EXT2FS, EXT3FS, Ext4, HFS, ISO 9660, and YAFFS2 file systems (even when the host operating system does not or has a different ending ordering).
Tools can be run on a live Windows or UNIX system during Incident Response. These tools will show files that have been “hidden” by root kits and will not modify the A-Time of files that are viewed. (Sleuth Kit Informer #13)
List allocated and deleted ASCII and Unicode filenames. (Sleuth Kit Informer #14 (FAT Recovery), #16 (NTFS Orphan Files))
Display the details and contents of all NTFS attributes (including all Alternate Data Streams).
Display file system and meta-data structure details.
Create timelines of file activity, which can be imported into a spreadsheet to create graphs and reports. (Sleuth Kit Informer #5)
Lookup file hashes in a hash database, such as the NIST NSRL, Hash Keeper, and custom databases that have been created by the ‘md5sum’ tool.
Organize files based on their type Pages of thumbnails can be made of graphic images for quick analysis. (Sleuth Kit Informer #3, #4, #5)
The Sleuth Kit is written in C and Perl and uses some code and design from The Coroner’s Toolkit (TCT). The Sleuth Kit has been tested on:
Mac OS X
Windows (Visual Studio and mingw)
Open & FreeBSD