REUWAS

Sleuthkit 3 2 0 Released

Sleuthkit 3 2 0 Released

A new version of The Sleuth Kit (TSK), a command line forensics tool set for both Linux and Windows, was released a few days ago.  This release brings new automation tools that can greatly speed processing.  Brian Carrier, the developer, describes the release thusly:

New features include:
   � New tsk_recover tool that extracts files from an image to a local directory.
   � New tsk_loaddb tool that dumps file system metadata to SQLite database.
   � New tsk_getimes tool that collects MAC time data on all file systems (equivalent to fls -m on a series of volumes)
   � New tsk_comparedir tool that compares a directory to an image to detect rootkits.
   � New C++ TskAuto class that makes it easier to create automated tools that analyze all files.
   � Name cleanup out of libraries and into tools.
   � img_cat -e and -s flags.
   � Changed how default NTFS $Data attribute is named.
   � HFS+ Case sensitive flag in fsstat.

Bug fixes include:
   � FAT performance
   � Crash fix for corrupt NTFS file
   � Adding attribute runs on fragmented files with multiple attributes of the same type.

I can personally attest to the benefits of the tsk_loaddb tool.  It very quickly creates a sqlite database containing file system metadata for each volume in the forensic image.  The database can be queried for any data sought in a fraction of the time it takes to read a file system itself.

A knowledge of  basic sqlite commands is essential to take advantage of the database, but with that knowledge, it is quite easy to script tools for your use.  For example, I wrote a shell script that reads the database and automatically mounts all the partitions read-only for quick evaluation.  This, of course, is only one small way that data can be used.

For a concise overview of all the tools that TSK has to offer, take a look at the wiki located here.

download file now