Introduction to the Sleuth Kit and filesystem forensics
Detectalix
113 views
12 slides
Jan 17, 2025
Slide 1 of 12
1
2
3
4
5
6
7
8
9
10
11
12
About This Presentation
These slides illustrate the most important concepts about disk partitioning, volumes and filesystems.
We are going to introduce the Sleuth Kit, a set of open-source, filesystem forensic CLI tools, explaining the functionalities of the different categories of tools and finally we are going to show th...
Slide Content
The Sleuth Kit® and filesystem forensics Introduction to disk partitioning, volumes and filesystems. Introduction to The Sleuth Kit ( TSK ). Analysis of a NTFS filesystem with TSK tools.
Introduction to partitions, volumes and filesystems The Master Boot Record (MBR) is the first sector of a disk and contains the bootstrap code and the partition table. A partition is a set of contiguous sectors of a disk. The MBR allows a maximum of four primary partitions. The Unified Extensible Firmware Interface (UEFI) uses the Globally Unique ID (GUID) partition table, that allows up to 128 primary partitions
Introduction to partitions, volumes and filesystems A volume is a logical set of data, formed by one or more partitions, associated with a single filesystem A filesystem is a logical structure that specifie s the storage, organization and management of files and directories. A file could be formed by one or several blocks or clusters, that usually have a size of 4 KB (4096 bytes).
Introduction to partitions, volumes and filesystems A filesystem has three layers: filename , data and metadata. The filename stores the name and pointers to metadata. The data are the actual contents of a file. The metadata store all the other information about a file/directory.
Introduction to The Sleuth Kit (TSK) TSK is a collection of filesystem forensic CLI tools and C library developed by Brian Carrier (Basis Technology) It is based on part of the code of the Coroner’s Toolkit It is multi-platform, supports many different filesystems and different image formats (raw, EWF,AFF..) It provides the foundations for the forensic program Autopsy® and many other open source and commercial forensics tools.
TSK download and documentation You can d ownload TSK from: https://www.sleuthkit.org/sleuthkit/download.php On Linux and MacOS you have to download and compile the source code (installation instructions are included in the package) while on Windows you can download the binaries Refer to http://wiki.sleuthkit.org for the documentation
The Sleuth Kit tools Tools included in TSK are divided into groups according to the layer of the filesystem they operate at ( t he prefixes of the names of the tools indicate the layer): “mm-”: volume (media management) layer. “fs-”: filesystem layer. “blk-”: data unit (block) layer. “ i -”: metadata ( inode ) layer “f-”: tools that operate at the file name layer
The Sleuth Kit tools The suffixes of the names of the tools indicates their function: “-stat”: displays general information about the queried item. “-ls”: lists the contents of the queried layer. “-cat”: dumps/extracts the content of the queried layer.
TSK tools output example ( mmls )
TSK tools output example ( fsstat )
TSK tools output example ( fsstat )
TSK tools output example ( blkcat )
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 113
- Slides 12
- Age 319 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views