The Sleuth Kit

The Sleuth Kit (TSK) is a powerful collection of command-line tools for digital forensic analysis. It examines disk images and file systems at multiple layers—from raw disk blocks to individual files—supporting NTFS, FAT, EXT2/3/4, HFS+, and more. TSK forms the engine behind the Autopsy GUI forensic browser.

Installation

Linux (Debian/Ubuntu)

sudo apt-get install sleuthkit
sudo apt-get install autopsy  # Optional GUI frontend

macOS

brew install sleuthkit
brew install autopsy

Windows

Download installer from sleuthkit.org or compile from source.

From Source

git clone https://github.com/sleuthkit/sleuthkit.git
cd sleuthkit
./configure
make
sudo make install

Image and File System Analysis

List Partitions and Volume Offsets

mmls -t partition_type image.dd
mmls image.dd  # Auto-detect type
mmls -i raw image.dd  # Specify raw image type

Command	Description
mmls image.dd	List partitions/volumes in disk image
mmls -t dos image.dd	List DOS/MBR partitions
mmls -t gpt image.dd	List GUID Partition Table entries
mmls -B image.dd	Show sector offsets for partition analysis

File System Statistics

fsstat image.dd
fsstat -o offset image.dd  # Analyze specific partition
fsstat -i fat image.dd  # Specify file system type

Command	Description
fsstat image.dd	Display file system metadata and statistics
fsstat -o 2048 image.dd	Analyze partition at 2048 sector offset
fsstat -i ext2 image.dd	Manually specify EXT2 file system
fsstat -i ntfs image.dd	Analyze NTFS file system details

File System Layer Analysis

List Files and Directories

fls image.dd
fls -r image.dd  # Recursive listing
fls -o offset image.dd  # Specify partition offset
fls -m image.dd  # Mactime format (timestamps)
fls -u image.dd  # Include unallocated entries
fls -H image.dd  # Include deleted entries (with hash)

Command	Description
fls image.dd	List directory contents of root
fls -r image.dd	Recursively list all files
fls -o 2048 image.dd	List files from partition at offset 2048
fls -u image.dd	Show unallocated (deleted) directory entries
fls -m image.dd > timeline.txt	Output in mactime format for timeline
fls -F image.dd	Fast mode (fewer details, faster processing)

Extract File Contents

icat image.dd inode_number > recovered_file
icat -o offset image.dd inode_number > file_output

Command	Description
icat image.dd 50 > file.txt	Extract inode 50 content to file
icat -o 2048 image.dd 50 > file.txt	Extract from specific partition offset
icat -r image.dd 50 > file.dat	Raw extraction without interpretation

Find Files by Name

ffind image.dd filename
ffind -i image.dd filename  # Case-insensitive
ffind -o offset image.dd filename  # Partition offset

Command	Description
ffind image.dd secret.txt	Find file by name
ffind -i image.dd secret.txt	Case-insensitive file search
ffind image.dd "*temp*"	Wildcard file name search
ffind -o 2048 image.dd *.jpg	Find JPEGs in specific partition

Metadata Layer Analysis

Inode Statistics

istat image.dd inode_number
istat -o offset image.dd inode_number

Command	Description
istat image.dd 100	Display inode 100 metadata (times, size, blocks)
istat -o 2048 image.dd 100	Inode details from partition at offset
istat -z timezone image.dd 100	Display times in specific timezone

List Inodes

ils image.dd
ils -o offset image.dd  # Partition offset
ils -a image.dd  # All inodes (deleted too)
ils -m image.dd  # Mactime format

Command	Description
ils image.dd	List allocated inodes
ils -a image.dd	List all inodes (allocated and deleted)
ils -m image.dd	Output in mactime timeline format
ils -o 2048 image.dd	List inodes from partition

Data Layer Analysis

Block Statistics

blkstat image.dd block_number
blkstat -o offset image.dd block_number

Command	Description
blkstat image.dd 5000	Display block 5000 information
blkstat -o 2048 image.dd 5000	Block analysis from partition

Extract Raw Blocks

blkcat image.dd block_number > block_output
blkcat -o offset image.dd 1000-1010 > blocks.bin  # Range of blocks

Command	Description
blkcat image.dd 5000 > block.bin	Extract block 5000 raw data
blkcat image.dd 5000-5010 > blocks.bin	Extract range of blocks
blkcat -o 2048 image.dd 5000 > block.bin	Extract from partition

Block Listing

blkls image.dd
blkls -a image.dd  # All blocks (allocated and unallocated)
blkls -u image.dd  # Only unallocated blocks

Command	Description
blkls image.dd	List allocated blocks
blkls -a image.dd	List all blocks
blkls -u image.dd	List unallocated (free) blocks

Timeline Creation and Analysis

Generate Mactime Format

fls -r -m image.dd > body_file.txt
ils -m image.dd >> body_file.txt
mactime -b body_file.txt -y > timeline.txt

Command	Description
fls -r -m image.dd > body.txt	Generate body file from file system
mactime -b body.txt > timeline.txt	Create sorted timeline
mactime -b body.txt -y > csv_timeline.csv	Output timeline in CSV format
mactime -b body.txt -d > detailed.txt	Detailed timeline output

Combine Multiple Timelines

fls -r -m /mnt/image1.dd > image1_body.txt
fls -r -m /mnt/image2.dd > image2_body.txt
cat image1_body.txt image2_body.txt | mactime > combined_timeline.txt

Keyword and String Searching

Search for Strings in Image

srch_strings image.dd | grep -i password

Command	Description
srch_strings image.dd	Extract strings from image
srch_strings image.dd | grep password	Find password-related strings
srch_strings -t d image.dd | grep -i email	Search for email addresses

Combine with Other Tools

srch_strings image.dd | sort | uniq > strings_found.txt
strings image.dd | grep -E "http|ftp|smtp" > urls_found.txt

Hash Databases

Create Hash Database

md5sum -r mounted_filesystem > filesystem_hashes.txt
hfind -i md5 filesystem_hashes.txt hash_value  # Later lookup

Use NIST NSRL Hash Database

# Download and import NSRL database
hfind -i md5 nsrl.txt hash_to_search

Command	Description
hfind -i md5 db.txt hash_value	Look up hash in database
hfind -i sha1 hashes.txt known_hash	Find matching SHA1
hfind -o db.txt hash_file	Search multiple hashes from file

Common Forensic Workflows

Quick Disk Image Analysis

# 1. Identify partitions
mmls evidence.dd

# 2. Analyze file system
fsstat -o 2048 evidence.dd

# 3. List files
fls -r -o 2048 evidence.dd > files.txt

# 4. Create timeline
fls -r -m -o 2048 evidence.dd > body.txt
mactime -b body.txt > timeline.csv

Find Deleted Files

# 1. List all inodes (including deleted)
ils -a -o 2048 image.dd > all_inodes.txt

# 2. List deleted directory entries
fls -u -o 2048 image.dd > deleted_entries.txt

# 3. Check specific inode
istat -o 2048 image.dd 12345

# 4. Recover file
icat -o 2048 image.dd 12345 > recovered_file

Locate Suspicious Files

# Find files modified during specific date range
fls -r -m image.dd | awk -F'|' '$4 >= 1234567890 && $4 <= 1234577890'

# Search for executables
fls -r image.dd | grep -E "\.(exe|elf|so)$"

# Find recently accessed files
ils -a image.dd | sort -t'|' -k6 -r | head -20

Recover Partition After Accidental Deletion

# 1. Scan for lost partitions
mmls image.dd

# 2. If partition table corrupted, try recovery
fsstat image.dd  # May show lost file systems

# 3. Search for file system signatures
srch_strings image.dd | grep -E "NTFS|EXT[234]|HFS"

# 4. Use photorec for carving (if TSK recovery insufficient)
photorec /d /mnt/recovered image.dd

Autopsy Integration

Launch Autopsy GUI

autopsy
# Opens web interface (usually http://localhost:9999)

Add Evidence to Autopsy

1. Open Autopsy web interface
2. Create new case
3. Add host/device
4. Add data source (disk image)
5. Configure ingest modules (hash lookup, keyword search, timeline)
6. View results in analysis interface

Command-Line Evidence Processing

# Autopsy can process images via CLI in some versions
autopsy -c case_name -a image.dd

File System Types

File System	Tools	Notes
NTFS	All TSK tools	Windows primary, fully supported
FAT12/16/32	All TSK tools	Older Windows/USB, well supported
EXT2/3/4	All TSK tools	Linux primary, fully supported
HFS+	All TSK tools	macOS, fully supported
UFS	All TSK tools	BSD/Solaris, supported
ISO 9660	All TSK tools	CD/DVD, supported

Tips and Tricks

Batch Processing Multiple Images

for image in *.dd; do
  echo "Processing $image"
  fls -r -m "$image" > "${image%.dd}_body.txt"
done

Create Forensic Copy

# Using dd (creates exact copy)
dd if=/dev/sda of=disk_image.dd status=progress

# Using dcfldd (better error handling)
dcfldd if=/dev/sda of=disk_image.dd hash=md5 progress=on

Mount Image Read-Only for Inspection

# Linux with offset
sudo mount -o ro,loop,offset=$((2048 * 512)) image.dd /mnt/evidence

# macOS
hdiutil attach -nomount image.dd
mount_msdos -r /dev/disk2s1 /mnt/evidence

Export Timeline for Timeline Analysis Tools

fls -r -m image.dd | mactime -b - | sort > timeline.csv
# Import into Timesketch, Analyst's Notebook, or Excel

Performance Optimization

Technique	Benefit
-F flag on fls	Faster processing, fewer details
Parallel processing	Process multiple images simultaneously
Partition offset (-o)	Faster when you know exact partition location
-u flag selectively	Only search unallocated when needed

Common Issues

Problem	Solution
File system not recognized	Use -i to manually specify type
Wrong inode number	Verify with ffind before extraction
Timeline gaps	Combine fls and ils output
Memory issues on large images	Process partitions separately
Bad sector errors	Use dcfldd for acquisition with error handling

Additional Resources

• Sleuth Kit Documentation
• Autopsy User Guide
• DFIR Online Course
• Brian Carrier’s Books on Digital Forensics