Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
S
Sleuthkit
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
IRT
Sleuthkit
Commits
a09fe17c
Unverified
Commit
a09fe17c
authored
5 years ago
by
Richard Cordovano
Committed by
GitHub
5 years ago
Browse files
Options
Downloads
Plain Diff
Merge pull request #1655 from f97gujo/develop
Update README with links
parents
62dd0b04
1d40445e
Branches
Branches containing commit
Tags
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
README.md
+18
-18
18 additions, 18 deletions
README.md
with
18 additions
and
18 deletions
README.md
+
18
−
18
View file @
a09fe17c
...
@@ -3,7 +3,6 @@
...
@@ -3,7 +3,6 @@
[

](https://ci.appveyor.com/project/bcarrier/sleuthkit)
[

](https://ci.appveyor.com/project/bcarrier/sleuthkit)
# [The Sleuth Kit](http://www.sleuthkit.org/sleuthkit)
# [The Sleuth Kit](http://www.sleuthkit.org/sleuthkit)
README File
## INTRODUCTION
## INTRODUCTION
The Sleuth Kit is an open source forensic toolkit for analyzing
The Sleuth Kit is an open source forensic toolkit for analyzing
...
@@ -16,8 +15,8 @@ the tool or customize it to specific needs.
...
@@ -16,8 +15,8 @@ the tool or customize it to specific needs.
The Sleuth Kit uses code from the file system analysis tools of
The Sleuth Kit uses code from the file system analysis tools of
The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The
The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The
TCT code was modified for platform independence. In addition,
TCT code was modified for platform independence. In addition,
support was added for the NTFS (see
docs/ntfs.README) and FAT (see
support was added for the NTFS (see
[
wiki/ntfs
](
http://wiki.sleuthkit.org/index.php?title=FAT_Implementation_Notes
)
)
docs/fat.README
) file systems. Previously, The Sleuth Kit was
and FAT (see
[
wiki/fat
](
http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes
)
) file systems. Previously, The Sleuth Kit was
called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent
called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent
of any commercial or academic organizations.
of any commercial or academic organizations.
...
@@ -35,8 +34,8 @@ The Sleuth Kit allows one to analyze a disk or file system image
...
@@ -35,8 +34,8 @@ The Sleuth Kit allows one to analyze a disk or file system image
created by 'dd', or a similar application that creates a raw image.
created by 'dd', or a similar application that creates a raw image.
These tools are low-level and each performs a single task. When
These tools are low-level and each performs a single task. When
used together, they can perform a full analysis. For a more detailed
used together, they can perform a full analysis. For a more detailed
description of these tools, refer to
docs
/filesystem
.README. The
description of these tools, refer to
[
wiki
/filesystem
](
http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview
)
.
tools are briefly described in a file system layered approach. Each
The
tools are briefly described in a file system layered approach. Each
tool name begins with a letter that is assigned to the layer.
tool name begins with a letter that is assigned to the layer.
### File System Layer:
### File System Layer:
...
@@ -88,8 +87,8 @@ contents of the data units allocated to the metadata structure
...
@@ -88,8 +87,8 @@ contents of the data units allocated to the metadata structure
which metadata structure has allocated a given content unit or
which metadata structure has allocated a given content unit or
file name.
file name.
Refer to the ntfs
.README doc for information on addressing metadata
Refer to the
[
ntfs
wiki
](
http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes
)
attributes in NTFS.
for information on addressing metadata
attributes in NTFS.
### Human Interface Layer (file):
### Human Interface Layer (file):
The human interface layer allows one to interact with files in a
The human interface layer allows one to interact with files in a
...
@@ -110,7 +109,7 @@ made. The mactime (TCT) program takes as input the 'body' file
...
@@ -110,7 +109,7 @@ made. The mactime (TCT) program takes as input the 'body' file
that was generated by fls and ils. To get data on allocated and
that was generated by fls and ils. To get data on allocated and
unallocated file names, use 'fls -rm dir' and for unallocated inodes
unallocated file names, use 'fls -rm dir' and for unallocated inodes
use 'ils -m'. Note that the behavior of these tools are different
use 'ils -m'. Note that the behavior of these tools are different
than in TCT. For more information, refer to
docs/mac.README
.
than in TCT. For more information, refer to
[
wiki/mactime
](
http://wiki.sleuthkit.org/index.php?title=Mactime
)
.
#### Hash Databases
#### Hash Databases
...
@@ -127,7 +126,7 @@ an index of a hash database and perform quick lookups using a binary
...
@@ -127,7 +126,7 @@ an index of a hash database and perform quick lookups using a binary
search algorithm. The 'hfind' tool can perform lookups on the NIST
search algorithm. The 'hfind' tool can perform lookups on the NIST
National Software Reference Library (NSRL) (www.nsrl.nist.gov) and
National Software Reference Library (NSRL) (www.nsrl.nist.gov) and
files created from the 'md5' or 'md5sum' command. Refer to the
files created from the 'md5' or 'md5sum' command. Refer to the
docs/hfind.README
file for more details.
[
wiki/hfind
](
http://wiki.sleuthkit.org/index.php?title=Hfind
)
file for more details.
#### File Type Categories
#### File Type Categories
Different types of files typically have different internal structure.
Different types of files typically have different internal structure.
...
@@ -143,24 +142,24 @@ The 'sorter' program in The Sleuth Kit will use other Sleuth Kit
...
@@ -143,24 +142,24 @@ The 'sorter' program in The Sleuth Kit will use other Sleuth Kit
tools to sort the files in a file system image into categories.
tools to sort the files in a file system image into categories.
The categories are based on rule sets in configuration files. The
The categories are based on rule sets in configuration files. The
'sorter' tool will also use hash databases to flag known bad files
'sorter' tool will also use hash databases to flag known bad files
and ignore known good files. Refer to the
'docs/sorter.README'
and ignore known good files. Refer to the
[
wiki/sorter
](
http://wiki.sleuthkit.org/index.php?title=Sorter
)
file for more details.
file for more details.
## LICENSE
## LICENSE
The file system tools (in the
src
/fstools
directory) are released
The file system tools (in the
[
tools
/fstools
](
https://github.com/sleuthkit/sleuthkit/tree/develop/tools/fstools
)
under the IBM open source license and Common Public License, both
directory) are released
under the IBM open source license and Common Public License, both
are located in the license directory
. The modifications to 'mactime'
are located in the
[
license
s
directory
](
https://github.com/sleuthkit/sleuthkit/tree/develop/licenses
)
.
from the original 'mactime' in TCT and 'mac-daddy' are released
The modifications to 'mactime'
from the original 'mactime' in TCT and 'mac-daddy' are released
under the Common Public License. Other tools in the
src
directory
under the Common Public License. Other tools in the
tools
directory
are either Common Public License or the GNU Public License.
are either Common Public License or the GNU Public License.
## INSTALL
## INSTALL
For installation instructions, refer to the INSTALL.txt document.
For installation instructions, refer to the INSTALL.txt document.
## OTHER DOCS
## OTHER DOCS
The
'docs' directory contains documents that describe the provided tools
The
[
wiki
](
http://wiki.sleuthkit.org/index.php?title=Main_Page
)
contains documents that
in more detail. The Sleuth Kit Informer is a newsletter that contains
describe the provided tools
in more detail. The Sleuth Kit Informer is a newsletter that contains
new documentation and articles.
new documentation and articles.
> www.sleuthkit.org/informer/
> www.sleuthkit.org/informer/
...
@@ -172,5 +171,6 @@ announcements list.
...
@@ -172,5 +171,6 @@ announcements list.
> http://sourceforge.net/mail/?group_id=55685
> http://sourceforge.net/mail/?group_id=55685
Brian Carrier
Brian Carrier
carrier
<at>
sleuthkit
<dot>
org
carrier at sleuthkit dot org
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment