Inside Sleuth Kit 01 - Source Code Structure

02/02/2016

Since the Sleuth Kit is an open source software, we can obtain TSK’s source codes easily. Studying the source codes can help us understand more concepts in file system analysis. It will be a great experience to study inside the Sleuth Kit.

The source codes of TSK can be downloaded here.

Note the release version of TSK is in the “master” branch. The current version of TSK being developed is in the “develop” branch. I will use the master branch to explain my discovery over TSK source codes.

The tools folder stores compiled programs once you follow the instruction manual in “INSTALL.txt” at root folder. These programs are categorized into different folders such as fstools, vstools, hashtools. The corresponding *.cpp files are also in these folders. These files contain the main function of each program, making them good starting point to study the codes.

The tsk folder stores most of the source codes of TSK. There are multiple subfolders in it. Some of them are listed here:

Knowing the basic source code structure, we can easily understand the detailed mechanism about how a specific TSK tool works. For example, the mmls tool can read a dos partitioned image and list all partitions. To understand how it works, we can start by looking at the mmls.cpp in ‘tools/vstools’ folder. Then we will look for the main function to track other functions.

In the main function, a tsk_vs_open function is used to open the image and generate the volume system information. Since mmls is a volume system tool, it is very likely that this tsk_vs_open function is stored in tsk/vs folder. By performing a search, we can confirm our guess by looking at tsk/vs/mm_open.c, where the tsk_vs_open function is defined.

Such function tracking can continue until we find out the struct that defines master boot record(MBR) if the image being processed is a dos partition system. The core functions tracked during this process can be illustrated as the following graph:

mmls.cpp          main()................................
(tools/vstools/)     |
                     |
mm_open.c            tsk_vs_open()......................
(tsk/vs/)                  |
                           |
dos.c                      tsk_vs_dos_open()............
(tsk/vs/)                          |
                                   |
dos.c                              dos_load_prim_table()
(tsk/vs/)                                    |
                                             |
tsk_dos.h                                    dos_sec....
(tsk/vs/)
Back to Top

SYANG.IO © 2018