The Sleuth Kit commands

From SleuthKitWiki
Revision as of 04:00, 14 February 2014 by Eriberto (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The TSK 4 command list

  • blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers.
  • blkcat - Display the contents of file system data unit in a disk image.
  • blkls - List or output file system data units.
  • blkstat - Display details of a file system data unit (i.e. block or sector).
  • fcat - Output the contents of a file based on its name.
  • ffind - Finds the name of the file or directory using a given inode.
  • fiwalk - print the filesystem statistics and exit.
  • fls - List file and directory names in a disk image.
  • fsstat - Display general details of a file system.
  • hfind - Lookup a hash value in a hash database.
  • icat - Output the contents of a file based on its inode number.
  • ifind - Find the meta-data structure that has allocated a given disk unit or file name.
  • ils - List inode information.
  • img_cat - Output contents of an image file.
  • img_stat - Display details of an image file.
  • istat - Display details of a meta-data structure (i.e. inode).
  • jcat - Show the contents of a block in the file system journal.
  • jls - List the contents of a file system journal.
  • jpeg_extract - jpeg extractor.
  • mactime - Create an ASCII time line of file activity.
  • mmcat - Output the contents of a partition to stdout.
  • mmls - Display the partition layout of a volume system (partition tables).
  • mmstat - Display details about the volume system (partition tables).
  • sigfind - Find a binary signature in a file.
  • sorter - Sort files in an image into categories based on file type.
  • srch_strings - Display printable strings in files.
  • tsk_comparedir - compare the contents of a directory with the contents of an image or local device.
  • tsk_gettimes - Collect MAC times from a disk image into a body file.
  • tsk_loaddb - populate a SQLite database with metadata from a disk image.
  • tsk_recover - Export files from an image into a local directory.



The TSK 3 command list (historical)

  • blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers.
  • blkcat - Display the contents of file system data unit in a disk image.
  • blkls - List or output file system data units.
  • blkstat - Display details of a file system data unit (i.e. block or sector).
  • ffind - Finds the name of the file or directory using a given inode.
  • fls - List file and directory names in a disk image.
  • fsstat - Display general details of a file system.
  • hfind - Lookup a hash value in a hash database.
  • icat-sleuthkit - Output the contents of a file based on its inode number.
  • ifind - Find the meta-data structure that has allocated a given disk unit or file name.
  • ils-sleuthkit - List inode information.
  • img_cat - Output contents of an image file.
  • img_stat - Display details of an image file.
  • istat - Display details of a meta-data structure (i.e. inode).
  • jcat - Show the contents of a block in the file system journal.
  • jls - List the contents of a file system journal.
  • mactime-sleuthkit - Create an ASCII time line of file activity.
  • mmcat - Output the contents of a partition to stdout.
  • mmls - Display the partition layout of a volume system (partition tables).
  • mmstat - Display details about the volume system (partition tables).
  • sigfind - Find a binary signature in a file.
  • sorter - Sort files in an image into categories based on file type.
  • srch_strings - Display printable strings in files.


Get a refreshed list

The list put in this page was created by a shell Bash command to show the basic function of the each TSK command.

The command used (in Debian) was:

eriberto@canopus~$ dpkg -L sleuthkit | grep /usr/bin/ | cut -d"/" -f4 | sort | xargs whatis -l | sed 's/^/*<strong>/; s/ (1)/<\/strong>/; s/$/./' | tr -s . | tr -s " "

You should use the above command to refresh the list.

Short-cut

This page can be accessed through the following short url: http://bit.ly/tsk-commands.