Skip to content
Snippets Groups Projects
Unverified Commit a09fe17c authored by Richard Cordovano's avatar Richard Cordovano Committed by GitHub
Browse files

Merge pull request #1655 from f97gujo/develop

Update README with links
parents 62dd0b04 1d40445e
Branches
Tags
No related merge requests found
...@@ -3,7 +3,6 @@ ...@@ -3,7 +3,6 @@
[![Build status](https://ci.appveyor.com/api/projects/status/8f7ljj8s2lh5sqfv?svg=true)](https://ci.appveyor.com/project/bcarrier/sleuthkit) [![Build status](https://ci.appveyor.com/api/projects/status/8f7ljj8s2lh5sqfv?svg=true)](https://ci.appveyor.com/project/bcarrier/sleuthkit)
# [The Sleuth Kit](http://www.sleuthkit.org/sleuthkit) # [The Sleuth Kit](http://www.sleuthkit.org/sleuthkit)
README File
## INTRODUCTION ## INTRODUCTION
The Sleuth Kit is an open source forensic toolkit for analyzing The Sleuth Kit is an open source forensic toolkit for analyzing
...@@ -16,8 +15,8 @@ the tool or customize it to specific needs. ...@@ -16,8 +15,8 @@ the tool or customize it to specific needs.
The Sleuth Kit uses code from the file system analysis tools of The Sleuth Kit uses code from the file system analysis tools of
The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The
TCT code was modified for platform independence. In addition, TCT code was modified for platform independence. In addition,
support was added for the NTFS (see docs/ntfs.README) and FAT (see support was added for the NTFS (see [wiki/ntfs](http://wiki.sleuthkit.org/index.php?title=FAT_Implementation_Notes))
docs/fat.README) file systems. Previously, The Sleuth Kit was and FAT (see [wiki/fat](http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes)) file systems. Previously, The Sleuth Kit was
called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent
of any commercial or academic organizations. of any commercial or academic organizations.
...@@ -35,8 +34,8 @@ The Sleuth Kit allows one to analyze a disk or file system image ...@@ -35,8 +34,8 @@ The Sleuth Kit allows one to analyze a disk or file system image
created by 'dd', or a similar application that creates a raw image. created by 'dd', or a similar application that creates a raw image.
These tools are low-level and each performs a single task. When These tools are low-level and each performs a single task. When
used together, they can perform a full analysis. For a more detailed used together, they can perform a full analysis. For a more detailed
description of these tools, refer to docs/filesystem.README. The description of these tools, refer to [wiki/filesystem](http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview).
tools are briefly described in a file system layered approach. Each The tools are briefly described in a file system layered approach. Each
tool name begins with a letter that is assigned to the layer. tool name begins with a letter that is assigned to the layer.
### File System Layer: ### File System Layer:
...@@ -88,8 +87,8 @@ contents of the data units allocated to the metadata structure ...@@ -88,8 +87,8 @@ contents of the data units allocated to the metadata structure
which metadata structure has allocated a given content unit or which metadata structure has allocated a given content unit or
file name. file name.
Refer to the ntfs.README doc for information on addressing metadata Refer to the [ntfs wiki](http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes)
attributes in NTFS. for information on addressing metadata attributes in NTFS.
### Human Interface Layer (file): ### Human Interface Layer (file):
The human interface layer allows one to interact with files in a The human interface layer allows one to interact with files in a
...@@ -110,7 +109,7 @@ made. The mactime (TCT) program takes as input the 'body' file ...@@ -110,7 +109,7 @@ made. The mactime (TCT) program takes as input the 'body' file
that was generated by fls and ils. To get data on allocated and that was generated by fls and ils. To get data on allocated and
unallocated file names, use 'fls -rm dir' and for unallocated inodes unallocated file names, use 'fls -rm dir' and for unallocated inodes
use 'ils -m'. Note that the behavior of these tools are different use 'ils -m'. Note that the behavior of these tools are different
than in TCT. For more information, refer to docs/mac.README. than in TCT. For more information, refer to [wiki/mactime](http://wiki.sleuthkit.org/index.php?title=Mactime).
#### Hash Databases #### Hash Databases
...@@ -127,7 +126,7 @@ an index of a hash database and perform quick lookups using a binary ...@@ -127,7 +126,7 @@ an index of a hash database and perform quick lookups using a binary
search algorithm. The 'hfind' tool can perform lookups on the NIST search algorithm. The 'hfind' tool can perform lookups on the NIST
National Software Reference Library (NSRL) (www.nsrl.nist.gov) and National Software Reference Library (NSRL) (www.nsrl.nist.gov) and
files created from the 'md5' or 'md5sum' command. Refer to the files created from the 'md5' or 'md5sum' command. Refer to the
docs/hfind.README file for more details. [wiki/hfind](http://wiki.sleuthkit.org/index.php?title=Hfind) file for more details.
#### File Type Categories #### File Type Categories
Different types of files typically have different internal structure. Different types of files typically have different internal structure.
...@@ -143,24 +142,24 @@ The 'sorter' program in The Sleuth Kit will use other Sleuth Kit ...@@ -143,24 +142,24 @@ The 'sorter' program in The Sleuth Kit will use other Sleuth Kit
tools to sort the files in a file system image into categories. tools to sort the files in a file system image into categories.
The categories are based on rule sets in configuration files. The The categories are based on rule sets in configuration files. The
'sorter' tool will also use hash databases to flag known bad files 'sorter' tool will also use hash databases to flag known bad files
and ignore known good files. Refer to the 'docs/sorter.README' and ignore known good files. Refer to the [wiki/sorter](http://wiki.sleuthkit.org/index.php?title=Sorter)
file for more details. file for more details.
## LICENSE ## LICENSE
The file system tools (in the src/fstools directory) are released The file system tools (in the [tools/fstools](https://github.com/sleuthkit/sleuthkit/tree/develop/tools/fstools)
under the IBM open source license and Common Public License, both directory) are released under the IBM open source license and Common Public License, both
are located in the license directory. The modifications to 'mactime' are located in the [licenses directory](https://github.com/sleuthkit/sleuthkit/tree/develop/licenses).
from the original 'mactime' in TCT and 'mac-daddy' are released The modifications to 'mactime' from the original 'mactime' in TCT and 'mac-daddy' are released
under the Common Public License. Other tools in the src directory under the Common Public License. Other tools in the tools directory
are either Common Public License or the GNU Public License. are either Common Public License or the GNU Public License.
## INSTALL ## INSTALL
For installation instructions, refer to the INSTALL.txt document. For installation instructions, refer to the INSTALL.txt document.
## OTHER DOCS ## OTHER DOCS
The 'docs' directory contains documents that describe the provided tools The [wiki](http://wiki.sleuthkit.org/index.php?title=Main_Page) contains documents that
in more detail. The Sleuth Kit Informer is a newsletter that contains describe the provided tools in more detail. The Sleuth Kit Informer is a newsletter that contains
new documentation and articles. new documentation and articles.
> www.sleuthkit.org/informer/ > www.sleuthkit.org/informer/
...@@ -172,5 +171,6 @@ announcements list. ...@@ -172,5 +171,6 @@ announcements list.
> http://sourceforge.net/mail/?group_id=55685 > http://sourceforge.net/mail/?group_id=55685
Brian Carrier Brian Carrier
carrier <at> sleuthkit <dot> org
carrier at sleuthkit dot org
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment