The Sleuth Kit provides a plug-in framework that makes it easier to build end-to-end digital forensics solutions. The framework makes it easier to integrate the various analysis modules that each focus on different file types and analysis techniques. This page covers the basic ideas behind the framework.
Why Is It Needed?
The Sleuth Kit has historically focused on volume and file systems and the end result is information about files. The user must then use a variety of different tools with different interfaces and requirements to analyze at the application-layer. There are too many file types and analysis techniques at the application-layer for a single tool to be able to provide all of the solutions.
The Sleuth Kit Framework provides an open platform for application-layer modules to operate. The modules do not need to worry about getting access to files (the framework takes care of that) and users do not need to worry about copy data in between various tools (the framework takes care of that too).
The Framework Docs outline the framework concepts in more detail, but this section covers the basics.
The framework is based on three phases of the analysis process:
- File Extraction: The framework uses TSK and carving tools to analyze disk images and identify the files. Information about each file is added to a central database (SQLite, PostgreSQL, etc.).
- File Analysis: Each file is analyzed by running it through a framework pipeline, which is a series of modules. Each module has a specific analysis task, such as calculating a hash value, looking up a hash value, or calculating entropy. Each file is processed by the pipeline and the module results are saved to the database.
- Post Processing / Reporting: After all files have been analyzed, another pipeline is run with post processing tasks. These modules may merge results together or may make final reports.
These phases can be seen in the following diagram (select it for a larger version):
The framework provides the infrastructure for in-depth digital
forensics. The individual modules perform the analysis. The framework
comes with a set of standard modules and you can import other
third-party-modules. Details about writing a module are given below.
The framework is based on the concept that different modules do all of the work. The modules need to communicate though so that, for example, one module can calculate the MD5 hash of a file and multiple other modules can use that hash value to look the value up in a database or use it to document its results.
The framework uses a blackboard to allow modules to communicate. Modules can create artifacts on the blackboard to save their results and they can query the blackboard to see what previous modules posted. Examples of artifacts include web bookmarks, web cookies, hash set hits, and file types. Basically, any type of data that could be useful during an investigation can be posted to the blackboard.
A visual representation of the blackboard can be found here (select it for a larger version):
There are multiple bookmark artifacts and hashset hits that one or more modules may have posted. A reporting module could then query the blackboard for all results and make a final HTML report. It doesn't care which module found it and posted it (although the blackboard keeps track of that information).
Using the Framework
The framework itself is infrastructure that needs to be incorporated into
another tool for it to be useful. It can (and has been) used in desktop applications as well as distributed systems.
Currently, you can use the tsk_analyzeimg tool to analyze a disk image using Sleuth Kit and the framework. This is a simple command line tool that loads a disk image into SQLite and runs pipelines on each file.
As time goes on, more tools will integrate the framework and users will have more options. We'll update the wiki page to list the tools that are using the framework.
Regardless of the tool that you use, you need modules. There are a set of modules that come with the framework. The current list includes:
Integrating the Framework
Developers can integrate the framework into their systems so
that they can more easily incorporate additional analysis techniques
(such as the modules already written or modules that are written
by other developers).
Developers can also more quickly develop solutions by writing
modules for the framework and leveraging the work from other
developers. For example, they can focus on developing a module and
letting tsk_analyzeimg break the image into files and
dealing with scheduling of analysis tasks.
The framework will only be successful if modules are written for it. If you develop forensics software, I encourage you to write modules for the framework.
Refer to the Developer's Guide to Writing Modules to learn the details.
- Users can download a Win32 binary distribution of the framework from the Download page.
- Developers can get the source code from the github site or the tar.gz file on the download page.
Refer to the INSTALL docs about specific requirements and dependencies.
The framework has been tested on Windows and Linux / OS X.