{"id":13540334,"url":"https://github.com/sleuthkit/sleuthkit","last_synced_at":"2025-05-13T21:11:39.911Z","repository":{"id":37664806,"uuid":"2562873","full_name":"sleuthkit/sleuthkit","owner":"sleuthkit","description":"The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence. ","archived":false,"fork":false,"pushed_at":"2025-04-17T12:20:37.000Z","size":65600,"stargazers_count":2786,"open_issues_count":399,"forks_count":631,"subscribers_count":181,"default_branch":"develop","last_synced_at":"2025-04-28T17:06:14.528Z","etag":null,"topics":["forensics","incident-response","ntfs","sleuthkit","tct"],"latest_commit_sha":null,"homepage":"http://www.sleuthkit.org/sleuthkit/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sleuthkit.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog.txt","contributing":null,"funding":null,"license":"licenses/Apache-LICENSE-2.0.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2011-10-12T14:26:49.000Z","updated_at":"2025-04-27T17:07:53.000Z","dependencies_parsed_at":"2024-02-27T22:28:03.664Z","dependency_job_id":"2224cf2a-a081-42d7-96fa-e801232e1cb8","html_url":"https://github.com/sleuthkit/sleuthkit","commit_stats":null,"previous_names":[],"tags_count":63,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sleuthkit%2Fsleuthkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sleuthkit%2Fsleuthkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sleuthkit%2Fsleuthkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sleuthkit%2Fsleuthkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sleuthkit","download_url":"https://codeload.github.com/sleuthkit/sleuthkit/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254029004,"owners_count":22002283,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forensics","incident-response","ntfs","sleuthkit","tct"],"created_at":"2024-08-01T09:01:47.021Z","updated_at":"2025-05-13T21:11:34.893Z","avatar_url":"https://github.com/sleuthkit.png","language":"C++","readme":"[![codecov](https://codecov.io/github/sleuthkit/sleuthkit/branch/develop/graph/badge.svg?token=pfFlgpWdCt)](https://codecov.io/github/sleuthkit/sleuthkit)\n\n[![Appveyor Build status](https://ci.appveyor.com/api/projects/status/8f7ljj8s2lh5sqfv?svg=true)](https://ci.appveyor.com/project/bcarrier/sleuthkit)\n\n[![Github Build Status](https://github.com/sleuthkit/sleuthkit/actions/workflows/build-unix.yml/badge.svg?branch=develop)]\n\n# [The Sleuth Kit](http://www.sleuthkit.org/sleuthkit)\n\n## INTRODUCTION\nThe Sleuth Kit is an open source forensic toolkit for analyzing\nMicrosoft and UNIX file systems and disks.  The Sleuth Kit enables\ninvestigators to identify and recover evidence from images acquired\nduring incident response or from live systems.  The Sleuth Kit is\nopen source, which allows investigators to verify the actions of\nthe tool or customize it to specific needs.\n\nThe Sleuth Kit uses code from the file system analysis tools of\nThe Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer.  The\nTCT code was modified for platform independence.  In addition,\nsupport was added for the NTFS (see [wiki/ntfs](http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes))\nand FAT (see [wiki/fat](http://wiki.sleuthkit.org/index.php?title=FAT_Implementation_Notes)) file systems.  Previously, The Sleuth Kit was\ncalled The @stake Sleuth Kit (TASK).  The Sleuth Kit is now independent\nof any commercial or academic organizations.\n\nIt is recommended that these command line tools can be used with\nthe Autopsy Forensic Browser.  Autopsy, (http://www.sleuthkit.org/autopsy),\nis a graphical interface to the tools of The Sleuth Kit and automates\nmany of the procedures and provides features such as image searching\nand MD5 image integrity checks.\n\nAs with any investigation tool, any results found with The Sleuth\nKit should be be recreated with a second tool to verify the data.\n\n## OVERVIEW\nThe Sleuth Kit allows one to analyze a disk or file system image\ncreated by 'dd', or a similar application that creates a raw image.\nThese tools are low-level and each performs a single task.  When\nused together, they can perform a full analysis.  For a more detailed\ndescription of these tools, refer to [wiki/filesystem](http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview).\nThe tools are briefly described in a file system layered approach.  Each\ntool name begins with a letter that is assigned to the layer.\n\n### File System Layer:\nA disk contains one or more partitions (or slices).  Each of these\npartitions contain a file system.  Examples of file systems include\nthe Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS),\nFile Allocation Table (FAT), and New Technologies File System (NTFS).\n\nThe fsstat tool displays file system details in an ASCII format.\nExamples of data in this display include volume name, last mounting\ntime, and the details about each \"group\" in UNIX file systems.\n\n### Content Layer (block):\nThe content layer of a file system contains the actual file content,\nor data.  Data is stored in large chunks, with names such as blocks,\nfragments, and clusters.  All tools in this layer begin with the letters\n'blk'.\n\nThe blkcat tool can be used to display the contents of a specific unit of\nthe file system (similar to what 'dd' can do with a few arguments).\nThe unit size is file system dependent.  The 'blkls' tool displays the\ncontents of all unallocated units of a file system, resulting in a\nstream of bytes of deleted content.  The output can be searched for\ndeleted file content.  The 'blkcalc' program allows one to identify the\nunit location in the original image of a unit in the 'blkls' generated\nimage.\n\nA new feature of The Sleuth Kit from TCT is the '-l' argument to\n'blkls' (or 'unrm' in TCT).  This argument lists the details for data\nunits, similar to the 'ils' command.  The 'blkstat' tool displays\nthe statistics of a specific data unit (including allocation status\nand group number).\n\n### Metadata Layer (inode):\nThe metadata layer describes a file or directory.  This layer contains\ndescriptive data such as dates and size as well as the addresses of the\ndata units.  This layer describes the file in terms that the computer\ncan process efficiently.   The structures that the data is stored in\nhave names such as inode and directory entry.  All tools in this layer\nbegin with an 'i'.\n\nThe 'ils' program lists some values of the metadata structures.\nBy default, it will only list the unallocated ones.  The 'istat'\ndisplays metadata information in an ASCII format about a specific\nstructure.  New to The Sleuth Kit is that 'istat' will display the\ndestination of symbolic links.  The 'icat' function displays the\ncontents of the data units allocated to the metadata structure\n(similar to the UNIX cat(1) command).  The 'ifind' tool will identify\nwhich metadata structure has allocated a given content unit or\nfile name.\n\nRefer to the [ntfs wiki](http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes)\nfor information on addressing metadata attributes in NTFS.\n\n### Human Interface Layer (file):\nThe human interface layer allows one to interact with files in a\nmanner that is more convenient than directly with the metadata\nlayer.  In some operating systems there are separate structures for\nthe metadata and human interface layers while others combine them.\nAll tools in this layer begin with the letter 'f'.\n\nThe 'fls' program lists file and directory names.  This tool will\ndisplay the names of deleted files as well.  The 'ffind' program will\nidentify the name of the file that has allocated a given metadata\nstructure.  With some file systems, deleted files will be identified.\n\n#### Time Line Generation\nTime lines are useful to quickly get a picture of file activity.\nUsing The Sleuth Kit a time line of file MAC times can be easily\nmade.  The mactime (TCT) program takes as input the 'body' file\nthat was generated by fls and ils.  To get data on allocated and\nunallocated file names, use 'fls -rm dir' and for unallocated inodes\nuse 'ils -m'.  Note that the behavior of these tools are different\nthan in TCT.  For more information, refer to [wiki/mactime](http://wiki.sleuthkit.org/index.php?title=Mactime).\n\n\n#### Hash Databases\nHash databases are used to quickly identify if a file is known.  The\nMD5 or SHA-1 hash of a file is taken and a database is used to identify\nif it has been seen before.  This allows identification to occur even\nif a file has been renamed.\n\nThe Sleuth Kit includes the 'md5' and 'sha1' tools to generate\nhashes of files and other data.\n\nAlso included is the 'hfind' tool.  The 'hfind' tool allows one to create\nan index of a hash database and perform quick lookups using a binary\nsearch algorithm.  The 'hfind' tool can perform lookups on the NIST\nNational Software Reference Library (NSRL) (www.nsrl.nist.gov) and\nfiles created from the 'md5' or 'md5sum' command.   Refer to the\n[wiki/hfind](http://wiki.sleuthkit.org/index.php?title=Hfind) file for more details.\n\n#### File Type Categories\nDifferent types of files typically have different internal structure.\nThe 'file' command comes with most versions of UNIX and a copy is\nalso distributed with The Sleuth Kit.  This is used to identify\nthe type of file or other data regardless of its name and extension.\nIt can even be used on a given data unit to help identify what file\nused that unit for storage.  Note that the 'file' command typically\nuses data in the first bytes of a file so it may not be able to\nidentify a file type based on the  middle blocks or clusters.\n\nThe 'sorter' program in The Sleuth Kit will use other Sleuth Kit\ntools to sort the files in a file system image into categories.\nThe categories are based on rule sets in configuration files.  The\n'sorter' tool will also use hash databases to flag known bad files\nand ignore known good files.  Refer to the [wiki/sorter](http://wiki.sleuthkit.org/index.php?title=Sorter)\nfile for more details.\n\n\n## TESTING\nBoth unit and end-to-end tests are located in the [test](test/) directory. Small and legacy disk images are located in [test/data](test/data/). Some tests require disk images that are include in the [Github repository](https://github.com/sleuthkit/sleuthkit_test_data); large disk images are distributed as compressed (.E01) images using [git's extensions for large objects](https://git-lfs.com/).  By default, this repo resides at [../sleuthkit_test_data](../sleuthkit_test_data]. However, it can be installed elsewhere by setting the environment variable `SLEUTHKIT_TEST_DATA_DIR`.\n\nIf the disk images are not present, tests requiring the disk images will generate a warning but not an error.\n\n- Tests can be run by typing `make check`.\n\n- Tests can be run on a new distribution by typing `make distcheck`.\n\n\n\n## LICENSE\nThere are a variety of licenses used in TSK based on where they\nwere first developed.  The licenses are located in the [licenses\ndirectory](https://github.com/sleuthkit/sleuthkit/tree/develop/licenses).\n\n- The file system tools (in the\n[tools/fstools](https://github.com/sleuthkit/sleuthkit/tree/develop/tools/fstools)\ndirectory) are released under the IBM open source license and Common\nPublic License.\n- srch_strings and fiwalk are released under the GNU Public License\n- Other tools in the tools directory are Common Public License\n- The modifications to 'mactime' from the original 'mactime' in TCT\nand 'mac-daddy' are released under the Common Public License.\n\nThe library uses utilities that were released under MIT and BSD 3-clause.\n\n\n## INSTALL\nFor installation instructions, refer to the INSTALL.txt document.\n\n## OTHER DOCS\nThe [wiki](http://wiki.sleuthkit.org/index.php?title=Main_Page) contains documents that\ndescribe the provided tools in more detail.  The Sleuth Kit Informer is a newsletter that contains\nnew documentation and articles.\n\n\u003e www.sleuthkit.org/informer/\n\n## MAILING LIST\nMailing lists exist on SourceForge, for both users and a low-volume\nannouncements list.\n\n\u003e http://sourceforge.net/mail/?group_id=55685\n\nBrian Carrier\n\ncarrier at sleuthkit dot org\n","funding_links":[],"categories":["Tools","\u003ca id=\"e1fc1d87056438f82268742dc2ba08f5\"\u003e\u003c/a\u003e事件响应\u0026\u0026取证\u0026\u0026内存取证\u0026\u0026数字取证","Challenges","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","\u003ca id=\"8159418f807637a0d70406803a3c08c5\"\u003e\u003c/a\u003eSleuthkit","Other Lists","4. [↑](#-content) Forensic \u0026 Malware Analysis","forensics","C++","工具","Forensics"],"sub_categories":["Frameworks","Binary files examination and editing","\u003ca id=\"1fc5d3621bb13d878f337c8031396484\"\u003e\u003c/a\u003e取证\u0026\u0026Forensics\u0026\u0026数字取证\u0026\u0026内存取证","Analysis / Gathering tool (Know your ennemies)","🛡️ DFIR:","4.1 [↑](#-content) Forensic","有关渗透测试和安全方面的Docker镜像","Steganography"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsleuthkit%2Fsleuthkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsleuthkit%2Fsleuthkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsleuthkit%2Fsleuthkit/lists"}