The Sleuth Kit (TSK)
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that
allow you to investigate a computer. The current focus of the tools is the
file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS,
and ISO 9660 file systems
Version: 4.12.1
General Commands | |
| blkcalc | Converts between unallocated disk unit numbers and regular disk unit numbers. |
| blkcat | Display the contents of file system data unit in a disk image. |
| blkls | List or output file system data units. |
| blkstat | Display details of a file system data unit (i.e. block or sector) |
| ffind | Finds the name of the file or directory using a given inode |
| fls | List file and directory names in a disk image. |
| fsstat | Display general details of a file system |
| hfind | Lookup a hash value in a hash database |
| ifind | Find the meta-data structure that has allocated a given disk unit or file name. |
| ils | List inode information |
| img_cat | Output contents of an image file. |
| img_stat | Display details of an image file |
| istat | Display details of a meta-data structure (i.e. inode) |
| jcat | Show the contents of a block in the file system journal. |
| jls | List the contents of a file system journal |
| mactime | Create an ASCII time line of file activity |
| mmcat | Output the contents of a partition to stdout |
| mmls | Display the partition layout of a volume system (partition tables) |
| mmstat | Display details about the volume system (partition tables) |
| sigfind | Find a binary signature in a file |
| sorter | Sort files in an image into categories based on file type |
| tsk_comparedir | compare the contents of a directory with the contents of an image or local device. |
| tsk_gettimes | Collect MAC times from a disk image into a body file. |
| tsk_loaddb | populate a SQLite database with metadata from a disk image |
| tsk_recover | Export files from an image into a local directory |
| usnjls | List the contents of a NTFS Update Sequence Number journal |