The Sleuth Kit
What is The Sleuth Kit?
The Sleuth KitAn open-source library and collection of command-line tools for low-level analysis of disk images and file systems, maintained by Brian Carrier.
The Sleuth Kit (TSK) is an open-source forensic library and a set of command-line tools for examining raw disk images and file systems at byte and metadata level. Originally derived from The Coroner's Toolkit, TSK has been maintained since 2003 by Brian Carrier under a BSD/CPL licence. It supports NTFS, FAT, exFAT, Ext2/3/4, HFS+, APFS, ISO 9660 and Yaffs2 and works on raw and Expert Witness Format (E01) images. Investigators use TSK utilities such as 'fls', 'icat', 'mmls', 'fsstat', 'tsk_recover' and 'tsk_loaddb' to enumerate files (including deleted entries), parse partition tables, carve unallocated space and build SQLite databases for further analysis. TSK is the engine behind Autopsy and many other commercial and open-source forensic tools.
● Examples
- 01
Running 'fls -r -m / image.E01' to produce a body-file for timeline analysis with mactime.
- 02
Using 'icat' to extract a deleted document referenced by its inode number from an NTFS image.
● Frequently asked questions
What is The Sleuth Kit?
An open-source library and collection of command-line tools for low-level analysis of disk images and file systems, maintained by Brian Carrier. It belongs to the Forensics & IR category of cybersecurity.
What does The Sleuth Kit mean?
An open-source library and collection of command-line tools for low-level analysis of disk images and file systems, maintained by Brian Carrier.
How does The Sleuth Kit work?
The Sleuth Kit (TSK) is an open-source forensic library and a set of command-line tools for examining raw disk images and file systems at byte and metadata level. Originally derived from The Coroner's Toolkit, TSK has been maintained since 2003 by Brian Carrier under a BSD/CPL licence. It supports NTFS, FAT, exFAT, Ext2/3/4, HFS+, APFS, ISO 9660 and Yaffs2 and works on raw and Expert Witness Format (E01) images. Investigators use TSK utilities such as 'fls', 'icat', 'mmls', 'fsstat', 'tsk_recover' and 'tsk_loaddb' to enumerate files (including deleted entries), parse partition tables, carve unallocated space and build SQLite databases for further analysis. TSK is the engine behind Autopsy and many other commercial and open-source forensic tools.
How do you defend against The Sleuth Kit?
Defences for The Sleuth Kit typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for The Sleuth Kit?
Common alternative names include: TSK, Sleuth Kit.
● Related terms
- forensics-ir№ 078
Autopsy
Open-source digital-forensics platform developed by Brian Carrier and Basis Technology that provides a graphical front end to The Sleuth Kit and a rich set of analysis modules.
- forensics-ir№ 426
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
- forensics-ir№ 415
File Carving
A forensic technique that recovers files from unallocated space or raw data by recognizing file signatures, headers, and footers without relying on filesystem metadata.
- forensics-ir№ 1156
Timeline Analysis
A forensic technique that reconstructs the chronological sequence of events on a system by correlating timestamps from files, logs, and other artifacts.
- forensics-ir№ 162
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
- forensics-ir№ 425
Forensic Hash Verification
The practice of computing and comparing cryptographic hashes (typically MD5 and SHA-256) of forensic images and source media to prove evidence integrity.