The Sleuth Kit Informer

Overview

The Sleuth Kit Informer is a bi-monthly newsletter for The Sleuth Kit, Autopsy, and related tools. The goal of the newsletter is to increase awareness, knowledge, and documentation for these tools. The planned topics range from tool design details to techniques on breaking a disk image into partition images.

[Note that the Informer has not been published in quite some time because of lack of time]

To subscribe to the e-mail newsletter, go here.

Do you want to write an article for The Informer? Check out the Call for Papers.

The most recent issue (#23) can be found here and below.

Original Archives

• Issue #1 (text) - February 15, 2003
  • A High-Level Design Overview of Autopsy and TASK
  • Placing HTML in Jail
• Issue #2 (text) - March 15, 2003
  • Autopsy 1.70 Case Management
  • Splitting The Disk - Part 1
• Issue #3 (text) - April 15, 2003
  • Did You Know? - Autopsy Date Stamps
  • Sorting Out The Sorter (Part 1 in a series of 3)
• Issue #4 (text) - May 15, 2003
  • Did You Know? - Group-based File Recovery
  • Creating Custom sorter Rule Sets (Part 2 in a series of 3)
• Issue #5 (text) - June 15, 2003
  • Did You Know? - Importing timelines into spread sheets
  • Sorter Internals (Part 3 in a series of 3)
• Issue #6 (text) - July 15, 2003
  • Hunting for Hashes (Part 1 in a series of 2)
• Issue #7 (text) - August 15, 2003
  • Did You Know? - Reducing the data in timelines
  • NSRL Correction
  • Finding Hashes with 'hfind' (Part 2 in a series of 2)
• Issue #8 (text) - September 15, 2003
  • Did You Know? - New Command Logging
  • Locking In On Keywords
• Issue #9 (text) - October 15, 2003
  • No major article (On vacation because of the Honeynet Challenge grading)
• Issue #10 (text) - November 16, 2003
  • UNIX Incident Verification with The Sleuth Kit
• Issue #11 (text) - December 15, 2003
  • 'dd' Acquisitions
• Issue #12 (text) - January 15, 2004
  • sdd: A 'dd' Variant
  • Splitting The Disk With mmls
• Issue #13 (text) - March 15, 2004
  • Call For Papers
  • UNIX Incident Verification with Autopsy
• Issue #14 (text) - May 15, 2004
  • Call For Papers
  • TSK FAT File Recovery
• Issue #15 (text) - July 15, 2004
  • Partition Recovery With TestDisk (Christophe Grenier)
  • File Name Searching In Autopsy (Brian Carrier)
• Issue #16 (text) - September 15, 2004
  • Searchtools, Indexed Searching in Forensic Images (Paul Bakker)
  • sstrings and Unicode Searching (Brian Carrier)
  • NTFS Orphan Files (Brian Carrier)
• Issue #17 (text) - November 15, 2004
  • Detecting Host Protected Areas (HPA) in Linux (Brian Carrier)
  • Finding Binary Signatures (Brian Carrier)
• Issue #18 (text) - January 15, 2005
  • Description of the FAT fsstat Output (Brian Carrier)
• Issue #19 (text) - March 15, 2005
  • New Image File Support (Brian Carrier)
  • Hooking IO Calls for Multi-Format Image Support (Michael Cohen)
• Issue #20 (text) - May 15, 2005
  • Removing Host Protected Areas (HPA) in Linux (Brian Carrier)
  • Automatic Type Detection (Brian Carrier)
• Issue #21 (text) - November 15, 2005
  • New Sleuth Kit Licenses (Brian Carrier)
  • FAT and ils Changes (Brian Carrier)
• Issue #22 (text) - March 15, 2006
  • Current disk_stat Limitations (Brian Carrier)
  • TSK Libraries (Brian Carrier)
• Issue #23 (text) - May 16, 2006
  • Expert Witness and AFF Support (Brian Carrier)
  • An Introduction To The libewf Expert Witness Library (Joachim Metz and Robert-Jan Mora)

Translated Archives

• German
• Italian

These articles are licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.