Description

The Sleuth Kit® (TSK) is a library and collection of command line tools that allow you to investigate disk images. The core functionality of TSK allows you to analyze volume and file system data. The plug-in framework allows you to incorporate additional modules to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

Autopsy is the Graphical User Interface (GUI).

Installation

Installation from packages

$ sudo aptitude install sleuthkit autopsy

From sources

Sleuthkit

$ wget http://downloads.sourceforge.net/project/sleuthkit/sleuthkit/4.1.2/sleuthkit-4.1.2.tar.gz
$ ./configure
$ make
$ sudo make install

Autopsy

Version 3 is only for Windows OS. If you're looking for a version that works with Linux, you will have to use version 2.

The best is to install it from the packages:

$ sudo aptitude install autopsy

Tools

blkcalc blkcat blkls blkstat fcat ffind fiwalk

fls fsstat hfind icat ifind ils img_cat

img_stat istat jcat jls jpeg_extract mmcat mmls

mmstat sigfind srch_strings tsk_comparedir tsk_gettimes tsk_loaddb tsk_recover