Home > Digital Forensics

Sleuth Kit

The Sleuth Kit (TSK) is a powerful collection of command-line forensic tools used to analyze disks, file systems, and low-level artifacts. It forms the core engine behind Autopsy but can also be used independently for detailed forensic investigations. TSK is especially valuable for examiners who need precise, scriptable, and transparent analysis of raw disk evidence.

What Is The Sleuth Kit?

The Sleuth Kit is an open-source forensic framework designed for:

  • File system investigation

  • Partition analysis

  • Deleted file recovery

  • Metadata inspection

  • Extracting files from disk images

  • Analyzing unallocated space

  • Searching for specific files or patterns

It supports multiple file systems such as NTFS, FAT, exFAT, EXT3/EXT4, UFS, and HFS+.

TSK tools operate directly on disk images, making them ideal for reproducible forensic workflows.

Why TSK Is Crucial for Forensics

TSK allows investigators to:

  • Inspect raw disk structures at a granular level

  • Recover deleted files that GUI tools may miss

  • Understand file system internals

  • Perform automated batch analysis with scripts

  • Analyze evidence even on damaged or partially corrupted disks

  • Build transparent forensic processes for court presentation

Because TSK is open-source, examiners can trust its methodology and validate results.

Core Components of The Sleuth Kit

TSK consists of several command-line tools, each designed for a specific part of disk or file system analysis.

1. Disk & Partition Analysis Tools

mmls

Lists partition layouts.

Used for:

  • Identifying partitions

  • Locating deleted partitions

  • Understanding disk boundaries

mmcat

Extracts raw data from disk partitions.

Useful for carving or isolating partitions.

2. File System Analysis Tools

fsstat

Displays file system metadata such as:

  • Block size

  • Journal info

  • Inode structures

  • Allocation tables

Gives a full overview of the file system.

fls

Lists files, including deleted entries.

Flags can show:

  • Allocated files

  • Unallocated files

  • Directories

  • Metadata entries

Used heavily in timeline and recovery workflows.

icat

Extracts file content using inode numbers.

Allows recovery of:

  • Live files

  • Deleted files

  • Metadata-only entries

istat

Shows inode metadata, including:

  • MAC timestamps

  • File size

  • Block addresses

Excellent for timestamp analysis.

3. Unallocated & Deleted Data Tools

blkls

Extracts unallocated blocks.

Used for:

  • Data carving

  • Searching deleted content

  • Filtering slack space

blkstat

Gives block-level metadata, useful for deep investigations.

4. Keyword Searching

ffind

Finds files by metadata or name.

ils

Lists inodes, including orphaned ones.

5. Automated Timeline Tools

TSK supports bodyfile creation (commonly used in forensic timelines).

fls -m / -r image.dd > bodyfile.txt

Creates a file system timeline that can be fed into:

  • mactime

  • Plaso

  • ELK Stack

How Investigators Use Sleuth Kit

1. Identify Partition Layout

mmls disk.dd

Determines where partitions start and end.

2. List Files in a Partition

fls -r -m / partition.dd

Used to find deleted items, downloads, user files.

3. Recover Deleted Files

Identify inode:

fls -d image.dd

Recover with:

icat image.dd <inode>

4. Inspect File Metadata

istat image.dd <inode>

Reveals:

  • Timestamps

  • Allocation details

  • File size

5. Examine Raw Blocks

blkls image.dd > unalloc.raw

Useful for deep carving and keyword searching.

6. Build a Forensic Timeline

fls -m / -r image.dd > bodyfile.txt
mactime -b bodyfile.txt > timeline.csv

Reconstructs user activity chronologically.

Supported File Systems

TSK supports many modern and legacy file systems:

  • NTFS

  • FAT, FAT32, exFAT

  • EXT2/3/4

  • ISO9660

  • UFS

  • HFS+

It can parse metadata structures that other tools overlook.

Strengths of The Sleuth Kit

  • Open source and widely trusted

  • Extremely detailed file system inspection

  • Excellent for deleted file recovery

  • Works well in automated scripts

  • Core engine behind Autopsy

  • Reliable even with damaged images

  • Ideal for academic and professional forensic research

Limitations

  • Command-line only (steep learning curve)

  • No native macOS APFS support without extensions

  • Requires strong understanding of file systems

  • Output can be very technical

Intel Dump

  • Sleuth Kit is a toolkit for low-level disk, partition, and file system analysis, ideal for forensic investigations.

  • Core tools include mmls, fls, fsstat, istat, icat, blkls, and ils for metadata analysis, recovery, and timeline building.

  • Supports NTFS, FAT variants, EXT, UFS, HFS+, and many other file systems.

  • Used for partition discovery, deleted file recovery, inode inspection, unallocated space analysis, and timeline creation.

  • TSK is powerful, scriptable, transparent, and forms the engine of Autopsy.

HOME COMMUNITY CAREERS DASHBOARD