23 lines
1.1 KiB
Plaintext
23 lines
1.1 KiB
Plaintext
The Sleuth Kit (previously known as TASK) is the only open
|
|
source forensic toolkit for a complete analysis of Microsoft
|
|
and UNIX file systems.
|
|
It enables investigators to identify and recover evidence from
|
|
images acquired during incident response or from live systems.
|
|
|
|
Some of its features :
|
|
|
|
* Analyzes images generated by the open source 'dd' utility,
|
|
found on all UNIX systems and available for Windows systems.
|
|
* Supports the NTFS, FAT, FFS, and EXT2FS file systems. Images
|
|
of a different endian ordering than the analysis system can
|
|
be used.
|
|
* The tools are organized in a layered approach, where the names
|
|
in each layer start with the same letter to help the user identify
|
|
the function of the tool. The layers include File System, File
|
|
Name (directory entries and NTFS index trees), Meta-Data (UNIX
|
|
inodes and NTFS MFT entries), and Content (blocks and clusters).
|
|
* Identifies deleted files by name and location.
|
|
* Identifies the status of content units (blocks and clusters)
|
|
and meta-data structures.
|
|
* Maps the relationship of objects across different layers.
|