The Sleuth Kit Part 1 – Overview

In this series I am going to touch a bit on how to use The Sleuth Kit (TSK) for digital forensic purposes.

First things first....

Definition of Sleuth

According to Sleuth is, "a detective". Some of the synonyms they provide are: investigator, private investigator, and i'm going to add, "forensicator".

The official logo of The Sleuth Kit is a bloodhound. If you know anything about bloodhounds you know they are wicked good at tracking humans (dead or alive). They were actually bred for this purpose and they have amazing nose capabilities.

Simply put, You are going to be hunted and discovered. Not unlike a skilled analyst using the software version.

Technical definition of The Sleuth Kit

According to the Sleuth Kit website, "The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK. TSK can be integrated into automated forensics systems in many ways, including as a C library and by using the SQLite database that it can can create. The Sleuth Kit Hadoop Framework is a framework that incorporates TSK into cloud computing for large scale data analysis."Patrick Olsen's definition is, "A command line based forensic tools suite, which has the power to do much more when combined with other tools/technologies". I like simple.
So now we have some frame of mind as to where these tools came from and how they relate to digital forensics. We also have a bit of history of which I will assume was used to name the over all project.

The Sleuth Kit (TSK) tool makeup

fsstat, ffind, fls, icat, ifind, ils, istat, blkcat, blkls, blkstat, blkcalc, mmls, mmstat, mmcat, imgstat, imgcat, disksreset, diskstat, tskcomparedir, tskgettimes, tskloaddb, tskrecover, mactime, hfind, sorter, and sigfind.

f/ff: file system and files disk: disk i: metadata structures mm: media management (partitions) tsk: fully automated tools blk: process data units img: image file format hfind: hash find mactime: time sorter: sorts files sigfind: finds a signature

Here is a better overview of the tools and what specifically they are used for. I couldn't say it better myself so i'll leave it to the creator to provide you the tool-by-tool overview.

So there you have it. That's a quick overview of what TSK is and what TSK contains. In Part II we will start drilling down and I will get into how to use these different tools to perform analysis on an image/disk.