Description
The Sleuth Kit (TSK) is a library and collection of command-line tools that allow you to investigate disk images. It supports NTFS, FAT, exFAT, HFS+, Ext2/3/4, UFS, and YAFFS2 filesystems.
Installation
BASH
sudo apt install sleuthkitBasic Usage
BASH
# Image info
img_stat disk.dd
# List partitions
mmls disk.dd
# List files (root directory)
fls -o 2048 disk.dd
# Recursively list all files
fls -r -o 2048 disk.dd
# Extract file by inode
icat -o 2048 disk.dd 12345 > extracted_fileAdvanced Usage
BASH
# File system info
fsstat -o 2048 disk.dd
# Search for deleted files
fls -d -r -o 2048 disk.dd
# Generate timeline body
fls -m "/" -r -o 2048 disk.dd > body.txt
mactime -b body.txt -d > timeline.csv
# Keyword search
srch_strings -a -t d disk.dd | grep "password"
# Journal analysis (ext3/4)
jls -o 2048 disk.dd
jcat -o 2048 disk.dd <journal_entry>
# Hash database lookup
hfind -i nsrl-sha1 hashdb sha1_hashCommon Workflows
BASH
# Forensic analysis pipeline
mmls evidence.dd # Partitions
fsstat -o 2048 evidence.dd # FS details
fls -r -d -o 2048 evidence.dd # Deleted files
fls -m "/" -r -o 2048 evidence.dd > body.txt # Timeline body
mactime -b body.txt -d > timeline.csv # Timeline