The Sleuth Kit and Autopsy Browser

The Sleuth Kit and Autopsy Browser. Both are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.

  1. The Sleuth Kit is a collection of command line digital investigation tools. The tools run on Linux, OS X, FreeBSD, OpenBSD, and Solaris and can analyze FAT, NTFS, UFS, EXT2FS, and EXT3FS.
  2. The Autopsy Forensic Browser is an HTML-based graphical interface for the command line tools in The Sleuth Kit. This makes it much easier and faster to investigate a system.
  3. Sleuth Kit Hadoop Framework is a project to use cloud computing to analyze hard drives on a large scale.
  4. mac-robber is a tool that will collect temporal data from mounted file systems. The data can be used to make a timeline of file activity on the system using tools from The Sleuth Kit.

Examinders and analysts can use the Autopsy graphical interface or the Sleuth Kit (TSK) command line tools to conduct an investigation.

Both Autopsy and TSK have frameworks that enable them to easily integrate modules written by other developers. If you write digital forensics software, refer to the Autopsy Developer’s Guide or the TSK Framework Module Writer’s Guide for details on how to incorporate your tools into TSK and Autopsy.

These tools have the following goals:

  • Provide as much information as possible. These tools require the user to know what data can be ignored for a given case, but the data are there in case it is needed.
  • Open. Everything is an an open format so that users can verify it, learn from it, and not be constrained by it.
  • Education.

The Sleuth Kit is written in C and Perl and uses some code and design from The Coroner’s Toolkit (TCT). The Sleuth Kit has been tested on:

  • Linux
  • Mac OS X
  • Windows (Visual Studio and mingw)
  • Open & FreeBSD
  • Solaris

Download The Sleuth Kit From Here

Autopsy is written in Perl and runs on the same UNIX platforms as The Sleuth Kit:

  • Linux
  • Mac OS X
  • Open & FreeBSD
  • Solaris
  • Cygwin (you cannot use the win32 executables that can be downloaded from this site, you must build in Cygwin)

Download Autopsy From Here

The Sleuth Kit Hadoop Framework is a project that incorporates The Sleuth Kit into a Hadoop cluster. Using cloud computing technology should allow for faster processing of media. This project produced a prototype framework that will continue to need further work.

Download The Sleuth Kit Hadoop Framework

mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system. This is useful during incident response when analyzing a live system or when analyzing a dead system in a lab. The data can be used by the mactime tool in The Sleuth Kit to make a timeline of file activity. The mac-robber tool is based on the grave-robber tool from TCT and is written in C instead of Perl.

Download mac-robber

Permanent link to this article: