Forensicsforensicsfilesystemdiskanalysisrecoverysleuthkittsk

SleuthKit

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools for forensic analysis of file and volume systems in disk images. It enables non-intrusive examination of filesystems to reveal deleted and hidden content, and analyzes disk layouts and partitions.

Description

The Sleuth Kit provides tools for examining filesystems on suspect computers without relying on the host operating system, allowing visibility into deleted and hidden content. Volume system tools analyze disk layouts, recover deleted files, inspect slack spaces, filesystem journals, and partition structures. It supports DOS, BSD, Mac, Sun, and GPT partitions, and filesystems including NTFS, FAT, exFAT, HFS+, Ext3, Ext4, UFS, and YAFFS2.

Use cases include digital forensics investigations where investigators need to extract and analyze data from disk images, identify partitions, recover evidence from unallocated space or slack areas, and generate timelines or file lists for case documentation. The tools are particularly valuable for law enforcement, incident response, and cybersecurity analysis of compromised systems.

The main package contains command line tools, with supporting libraries like libtsk23 for programmatic access and Java bindings for integration into other applications. It operates on raw images or specific formats, focusing on the current filesystem without modifying data.

How It Works

SleuthKit tools parse disk images and filesystems directly using libraries like libtsk23, bypassing the host OS to access raw structures. Filesystem analysis tools read metadata, inodes, journals, and block allocations to list files, recover deleted content, and extract data units. Volume tools interpret partition tables (DOS, GPT, etc.) to map layouts and extract volumes for further analysis. Common flags specify image formats (-i), filesystem types (-f), sector sizes (-b), offsets (-o), and output modes, with support for decryption (-k), hashing, and recursion.

Installation

bash

sudo apt install sleuthkit

Flags

-f fstypeThe file system type (use '-f list' for supported types)

-i imgtypeThe format of the image file (use '-i list' for supported types)

-b dev_sector_sizeThe size (in bytes) of the device sectors

-o imgoffsetThe offset of the file system in the image (in sectors)

-P pooltypePool container type (use '-P list' for supported types)

-vVerbose output

-VPrint version

-aDisplay allocated blocks or inodes

-dDisplay deleted entries only

-rRecurse on directory entries

Examples

Display help for blkcalc, which converts between unallocated disk unit numbers and regular disk unit numbers

blkcalc -h

Display help for blkcat, which outputs the contents of file system data units in a disk image

blkcat --help

Display help for blkls, which lists or outputs file system data units

blkls -h

Display help for fls, which lists file and directory names in a disk image

fls --help

Display help for icat, which outputs the contents of a file based on its inode number

icat --help

Display help for mmls, which displays the partition layout of a volume system

mmls -h

Display help for fsstat, which displays general details of a file system

fsstat -h

Updated 2026-04-16kali.org ↗