Difference between revisions of "The Sleuth Kit commands"
From SleuthKitWiki
(→Get a refreshed list) |
|||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | == The TSK | + | == The TSK 4 command list == |
| + | |||
| + | *<strong>blkcalc</strong> - Converts between unallocated disk unit numbers and regular disk unit numbers. | ||
| + | *<strong>blkcat</strong> - Display the contents of file system data unit in a disk image. | ||
| + | *<strong>blkls</strong> - List or output file system data units. | ||
| + | *<strong>blkstat</strong> - Display details of a file system data unit (i.e. block or sector). | ||
| + | *<strong>fcat</strong> - Output the contents of a file based on its name. | ||
| + | *<strong>ffind</strong> - Finds the name of the file or directory using a given inode. | ||
| + | *<strong>fiwalk</strong> - print the filesystem statistics and exit. | ||
| + | *<strong>fls</strong> - List file and directory names in a disk image. | ||
| + | *<strong>fsstat</strong> - Display general details of a file system. | ||
| + | *<strong>hfind</strong> - Lookup a hash value in a hash database. | ||
| + | *<strong>icat</strong> - Output the contents of a file based on its inode number. | ||
| + | *<strong>ifind</strong> - Find the meta-data structure that has allocated a given disk unit or file name. | ||
| + | *<strong>ils</strong> - List inode information. | ||
| + | *<strong>img_cat</strong> - Output contents of an image file. | ||
| + | *<strong>img_stat</strong> - Display details of an image file. | ||
| + | *<strong>istat</strong> - Display details of a meta-data structure (i.e. inode). | ||
| + | *<strong>jcat</strong> - Show the contents of a block in the file system journal. | ||
| + | *<strong>jls</strong> - List the contents of a file system journal. | ||
| + | *<strong>jpeg_extract</strong> - jpeg extractor. | ||
| + | *<strong>mactime</strong> - Create an ASCII time line of file activity. | ||
| + | *<strong>mmcat</strong> - Output the contents of a partition to stdout. | ||
| + | *<strong>mmls</strong> - Display the partition layout of a volume system (partition tables). | ||
| + | *<strong>mmstat</strong> - Display details about the volume system (partition tables). | ||
| + | *<strong>sigfind</strong> - Find a binary signature in a file. | ||
| + | *<strong>sorter</strong> - Sort files in an image into categories based on file type. | ||
| + | *<strong>srch_strings</strong> - Display printable strings in files. | ||
| + | *<strong>tsk_comparedir</strong> - compare the contents of a directory with the contents of an image or local device. | ||
| + | *<strong>tsk_gettimes</strong> - Collect MAC times from a disk image into a body file. | ||
| + | *<strong>tsk_loaddb</strong> - populate a SQLite database with metadata from a disk image. | ||
| + | *<strong>tsk_recover</strong> - Export files from an image into a local directory. | ||
| + | <br><br> | ||
| + | == The TSK 3 command list (historical) == | ||
*<strong>blkcalc</strong> - Converts between unallocated disk unit numbers and regular disk unit numbers. | *<strong>blkcalc</strong> - Converts between unallocated disk unit numbers and regular disk unit numbers. | ||
| Line 35: | Line 68: | ||
You should use the above command to refresh the list. | You should use the above command to refresh the list. | ||
| + | <br><br> | ||
| + | == Short-cut == | ||
| + | |||
| + | This page can be accessed through the following short url: http://bit.ly/tsk-commands. | ||
<br><br> | <br><br> | ||
Latest revision as of 04:00, 14 February 2014
Contents
The TSK 4 command list
- blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers.
- blkcat - Display the contents of file system data unit in a disk image.
- blkls - List or output file system data units.
- blkstat - Display details of a file system data unit (i.e. block or sector).
- fcat - Output the contents of a file based on its name.
- ffind - Finds the name of the file or directory using a given inode.
- fiwalk - print the filesystem statistics and exit.
- fls - List file and directory names in a disk image.
- fsstat - Display general details of a file system.
- hfind - Lookup a hash value in a hash database.
- icat - Output the contents of a file based on its inode number.
- ifind - Find the meta-data structure that has allocated a given disk unit or file name.
- ils - List inode information.
- img_cat - Output contents of an image file.
- img_stat - Display details of an image file.
- istat - Display details of a meta-data structure (i.e. inode).
- jcat - Show the contents of a block in the file system journal.
- jls - List the contents of a file system journal.
- jpeg_extract - jpeg extractor.
- mactime - Create an ASCII time line of file activity.
- mmcat - Output the contents of a partition to stdout.
- mmls - Display the partition layout of a volume system (partition tables).
- mmstat - Display details about the volume system (partition tables).
- sigfind - Find a binary signature in a file.
- sorter - Sort files in an image into categories based on file type.
- srch_strings - Display printable strings in files.
- tsk_comparedir - compare the contents of a directory with the contents of an image or local device.
- tsk_gettimes - Collect MAC times from a disk image into a body file.
- tsk_loaddb - populate a SQLite database with metadata from a disk image.
- tsk_recover - Export files from an image into a local directory.
The TSK 3 command list (historical)
- blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers.
- blkcat - Display the contents of file system data unit in a disk image.
- blkls - List or output file system data units.
- blkstat - Display details of a file system data unit (i.e. block or sector).
- ffind - Finds the name of the file or directory using a given inode.
- fls - List file and directory names in a disk image.
- fsstat - Display general details of a file system.
- hfind - Lookup a hash value in a hash database.
- icat-sleuthkit - Output the contents of a file based on its inode number.
- ifind - Find the meta-data structure that has allocated a given disk unit or file name.
- ils-sleuthkit - List inode information.
- img_cat - Output contents of an image file.
- img_stat - Display details of an image file.
- istat - Display details of a meta-data structure (i.e. inode).
- jcat - Show the contents of a block in the file system journal.
- jls - List the contents of a file system journal.
- mactime-sleuthkit - Create an ASCII time line of file activity.
- mmcat - Output the contents of a partition to stdout.
- mmls - Display the partition layout of a volume system (partition tables).
- mmstat - Display details about the volume system (partition tables).
- sigfind - Find a binary signature in a file.
- sorter - Sort files in an image into categories based on file type.
- srch_strings - Display printable strings in files.
Get a refreshed list
The list put in this page was created by a shell Bash command to show the basic function of the each TSK command.
The command used (in Debian) was:
eriberto@canopus~$ dpkg -L sleuthkit | grep /usr/bin/ | cut -d"/" -f4 | sort | xargs whatis -l | sed 's/^/*<strong>/; s/ (1)/<\/strong>/; s/$/./' | tr -s . | tr -s " "
You should use the above command to refresh the list.
Short-cut
This page can be accessed through the following short url: http://bit.ly/tsk-commands.
