Skip to main content

🔬 DFIR & forensics

The Sleuth Kit

Command-line digital forensics library and tools — the engine behind Autopsy.

Advanced ⏱ 15 minutes 💸 Free Common Public License + IBM Public License

Official site →

Why use it

When Autopsy isn't scriptable enough, drop down to The Sleuth Kit (TSK) directly. <code>fls</code>, <code>icat</code>, <code>mmls</code>, <code>fsstat</code> and friends are the foundation of disk forensics on the command line.

What you get

  • File listing across deleted and existing entries
  • File content extraction by inode
  • Partition table analysis
  • Filesystem metadata (FAT, NTFS, ext, HFS+, APFS)
  • Timeline generation via mactime

System requirements

Cpu1 core
Ram1 GB
Diskenough for your image
OsLinux, macOS, Windows
DockerYes

Installation

sudo apt install sleuthkit. List files in an image: fls -r -p image.dd. Extract a file by inode: icat image.dd 12345 > recovered. Generate a timeline: fls -r -m / image.dd | mactime -d.

Suggested configuration

Always work on a copy of the image, never the original — TSK is read-only but the convention matters. Pipe fls output into mactime for an MFT timeline that you can grep through.

Integration ideas

  • Use as Autopsy backend (already integrated)
  • Pipe findings into TheHive cases
  • Combine with Volatility for disk + memory views

Alternatives

  • Autopsy — GUI on top of TSK; easier for most users.
  • Foremost / Scalpel — Pure file carving tools.

Cyentrix verdict

The forensics primitives. Worth knowing even if you mostly drive Autopsy — when the GUI fails, TSK still works.