1. Sleuthkit/Autopsy
Kevin Krause

2. License and genealogy IBM Open Source, Common Public License, and GPL
Sleuthkit (TSK)
Collection of layered UNIX-based command line investigative tools
Data layer
Metadata layer
Corner’s toolkit
Autopsy
Provides browser-based access to TSK tools
Lazarus

3. Sleuthkit tools Automated tools File system layer tools
tsk_comparedir – compares local directory hierarch with contents of raw device
Useful to detect rootkits
tsk_gettimes – extracts all of the temporal data from image to make a timeline
tsk_loaddb – loads metadata from image into a SQLite database
tsk_recover – extracts the unallocated (or allocated) files from a disk to a local directory
File system layer tools
fsstat – shows file system details and statistics
Layout, sizes, and labels
File name layer tools
ffind –finds allocated and unallocated file names that point to a given meta data structure
fls – lists allocated and deleted file names in a directory
Meta data layer tools
icat – extracts data units of a file specified by the meta data address
ifind – finds meta data structure that has a given name pointing to it or the meta data structure pointing to a data unit
ils – lists meta data structure and components in pipe delimited format
istat – displays statistics and details about given meta data structure

4. Sleuthkit tools Data unit layer tools File system journal tools
blkcat – extracts contents of given data unit
blkls – lists details about data units and can extract unallocated space of file system
blkstat – displays statistics about a given data unit
blkcalc – calculates where data in unallocated space image exits
File system journal tools
jcat – display contents of specified journal block
jls – list file system journal entries
Volume system tools
mmls – displays disk layout including unallocated spaces
mmstat – display details about a volume
mmcat – extracts contents of specified volume to STDOUT
Image file tools
img_stat – shows details of image format
img_cat – shows raw contents of an image file

5. Sleuthkit tools Disk tools Other tools
disk_sreset – to temporarily remove a HPA
disk_stat – will show if HPA exists
Other tools
hfind – binary sort to lookup hashes
mactime creates timeline of file activity from fls and ils tools
sorter – sorts based on file types, extension checking and hash databases
sigfind – searches for binary values at offsets
Recovering lost data structures

6. Compatible file systems
NTFS
FAT
Ext2, Ext3
UFS (1 & 2)
ISO 9660
HFS+

7. The Autopsy 3 front end

8. Autopsy organization
Images
Views
Results

9. Investigation targets
Images
RAW (-dd)
E01 (EnCase)
Live

10. Search functions Lists allocated and unallocated files
Lists and sorts by file type
Shows time of creation and change
Keyword search
Indexes all

11. Working with hash databases
Supports
MD5 or SHA-1
Interfaces
NIST NSRL
Hashkeeper
User defined
Known good and/or known bad

12. Reporting Tracks investigation activities Report formats Body file
Excel
Default XML
HTML

13. Report data General Info Extracted text Web history File tags
Trackpoints
Cookies
Hashset hits
Recent documents
messages
Keyword hits
EXIF metadata
Interesting files
Bookmarks
Web search engines
Installed programs
Result tags
Devices attached

14. Inclusion on other bootable CDs
BackTrack2
Caine - Computer Aided INvestigative Environment)
DEFT - Digital Evidence & Forensic Toolkit (Xubuntu based)
FCCU Gnu/Linux Forensics Boot CD (knoppix)
Forensic and Incident Response Environment – FIRE
Helix (knoppix)
Knoppix STD

15. Inclusion on other bootable CDs
Local Area Security Linux
Penguin Sleuth Kit (knoppix)
Plan-B
Snarl (FreeBSD)
HeX (Freesbie2)
Stagos FSE (Ubuntu based)
IRItaly Live CD Project (Gentoo based)
ForLEx Live CD Forensic Linux Examination (Knoppix based)

16. Tools that Integrate sleuth kit
Allin 1
NBTempo
Nigilant 32 for Windows
Odyssey Digital Forensics Search
PTK Forensics

17. Tools that Integrate sleuth kit
PyFlag
Raw2Fs
Revealer Toolkit
Selective File Dumper
Zeitline

18. Downloads and information