Using Sleuth Kit 01 - Introduction
10/09/2014
Let us start learning to use the Sleuth Kit (TSK). The first thing should know is what tools the kit provides.
If you install TSK via downloaded source codes, go to the extracted folder of the source codes. After make command, all executable files should be generated within it. Go to “tools” folder and list all its contents:
Some folders and tools within are introduced here:
Folder “imgtools” has tools for disk image files. The two tools provided are img_cat and img_stat.
Folder “vstools” stores tools which analyze volumes on a disk. Tools here include mmls, mmstat, mmcat.
Folder “fstools” contains most tools. These tools can be divided into several catalogs based on the target they operate against:
- file system:
fsstat - file:
fls,fcat - block:
blkls,blkstat,blkcat,blkcalc - metadata:
ils,istat,icat,ifind - file system journals:
jls,jcat
As you can see, it is very obvious that all tools in a same catalog share the same prefix, while the suffix indicates the actual function of the tool. “-ls” lists objects in the current level. “-stat” provides detailed information. “-cat” prints content to standard output, which can be directed into a file.
To get more information about each tool (command), check the “README.txt” file in the TSK folder. To find out arguments for each tool, type the tool command alone. For example:mmls shows the following result:
$ mmls
Missing image name
mmls [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-BrvV] [-aAmM] [-t vstype] image [images]
-t vstype: The type of volume system (use '-t list' for list of supported types)
-i imgtype: The format of the image file (use '-i list' for list supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)
-B: print the rounded length in bytes
-r: recurse and look for other partition tables in partitions (DOS Only)
-v: verbose output
-V: print the version
Unless any of these are specified, all volume types are shown
-a: Show allocated volumes
-A: Show unallocated volumes
-m: Show metadata volumes
-M: Hide metadata volumes
Next post will introduce the volume tool (mm-) in TSK.