The following are the man pages and additional documents for the tools
in The Sleuth Kit. Standard tools such as md5, sha1,
and file are not shown here.
The following tools take a disk or file system image as input. All
file system tools support NTFS, FAT, Ext2/3, and UFS1/2 file systems.
File System Layer Tools
These file system tools process general file system data, such as
the layout, allocation structures, and boot blocks
fsstat:
Shows file system details and statistics including layout, sizes,
and labels.
Meta Data Layer Tools
These file system tools process the meta data structures, which store
the details about a file. Examples of this structure include directory
entries in FAT, MFT entries in NTFS, and inodes in ExtX and UFS.
icat:
Extracts the data units of a file, which is specified by its meta
data address (instead of the file name).
ifind:
Finds the meta data structure that has a given file name pointing
to it or the meta data structure that points to a given data unit.
ils:
Lists the meta data structures and their contents in a pipe delimited
format.
istat:
Displays the statistics and details about a given meta data structure
in an easy to read format.
Data Unit Layer Tools
These file system tools process the data units where file content is
stored. Examples of this layer include clusters in FAT and NTFS and
blocks and fragments in ExtX and UFS.
dcat:
Extracts the contents of a given data unit.
dls:
Lists the details about data units and can extract the unallocated
space of the file system.
dstat:
Displays the statistics about a given data unit in an easy to read format.
dcalc:
Calculates where data in the unallocated space image (from dls)
exists in the original image. This is used when evidence is found
in unallocated space.
File System Journal Tools
These file system tools process the journal that some file systems
have. The journal records the metadata (and sometimes content) updates
that are made. This could help recover recently deleted data. Examples
of file systems with journals include Ext3 and NTFS.
jcat:
Display the contents of a specific journal block.
jls:
List the entries in the file system journal.
Media Management Tools
These tools take a disk (or other media) image as input and analyze
its partition structures. Examples include DOS partitions, BSD
disk labels, and the Sun Volume Table of Contents (VTOC). These
can be used find hidden data between partitions and to identify the
file system offset for The Sleuth Kit tools. The media management
tools support DOS partitions, BSD disk labels, Sun VTOC, and Mac
partitions.
mmls:
Displays the layout of a disk, including the unallocated spaces.
The output identifies the type of partition and its length, which
makes it easy to use 'dd' to extract the partitions. The output
is sorted based on the starting sector so it is easy to identify
gaps in the layout.
DOS Partition Example
BSD Partition Example
Mac Partition Example
Sun Partition Example
mmstat:
Display details about a volume system (typically only the type).
mmcat:
Extracts the contents of a specific volume to STDOUT.
Disk Tools
These tools can be used to detect and remove a Host Protected Area (HPA)
in an ATA disk. A HPA could be used to hide data so that it would not be
copied during an acquisition. These tools are currently Linux-only.
disk_sreset:
This tool will temporarily remove a HPA if one exists. After the
disk is reset, the HPA will return.
disk_stat:
This tool will show if an HPA exists.
(Sleuth Kit Informer
#17)
Other Tools
hfind:
Uses a binary sort algorithm to lookup hashes in the NIST NSRL,
Hashkeeper, and custom hash databases created by md5sum.
(Sleuth Kit Informer
#6)
mactime:
Takes input from the fls and ils tools to
create a timeline of file activity.
sorter:
Sorts files based on their file type and performs extension checking
and hash databse lookups.
(Sleuth Kit Informer
#3,
#4,
#5)
sigfind:
Searches for a binary value at a given offset. Useful for recovering
lost data structures.
(Sleuth Kit Informer
#17)
