Difference between revisions of "The Sleuth Kit commands"

Revision as of 06:53, 31 March 2011

The TSK commands list

• blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers.
• blkcat - Display the contents of file system data unit in a disk image.
• blkls - List or output file system data units.
• blkstat - Display details of a file system data unit (i.e. block or sector).
• ffind - Finds the name of the file or directory using a given inode.
• fls - List file and directory names in a disk image.
• fsstat - Display general details of a file system.
• hfind - Lookup a hash value in a hash database.
• icat-sleuthkit - Output the contents of a file based on its inode number.
• ifind - Find the meta-data structure that has allocated a given disk unit or file name.
• ils-sleuthkit - List inode information.
• img_cat - Output contents of an image file.
• img_stat - Display details of an image file.
• istat - Display details of a meta-data structure (i.e. inode).
• jcat - Show the contents of a block in the file system journal.
• jls - List the contents of a file system journal.
• mactime-sleuthkit - Create an ASCII time line of file activity.
• mmcat - Output the contents of a partition to stdout.
• mmls - Display the partition layout of a volume system (partition tables).
• mmstat - Display details about the volume system (partition tables).
• sigfind - Find a binary signature in a file.
• sorter - Sort files in an image into categories based on file type.
• srch_strings - Display printable strings in files.

Get a refreshed list

The list put in this page was created by a shell Bash command to show the basic function of the each TSK command.

The command used (in Debian) was:

eriberto@canopus~$ dpkg -L sleuthkit | grep /usr/bin/ | cut -d"/" -f4 | sort | xargs whatis -l | sed 's/^/*<strong>/; s/ (1)/<\/strong>/; s/$/./' | tr -s . | tr -s " "

You should use the above command to refresh the list.