The Sleuth Kit Digital Forensics Toolkit

The Sleuth Kit (TSK) is a collection of command-line and library tools for digital forensics analysis, enabling investigators to examine disk images, file systems, and recover deleted files from Windows, Linux, and macOS systems. Originally developed by Brian Carrier as part of his PhD research at Purdue University under Eugene Spafford, first released in 2003. Maintained by Basis Technology (Cambridge, Massachusetts) and serves as the engine behind the Autopsy forensic platform. Key features: file system analysis supporting NTFS, FAT12/16/32, exFAT, ext2/ext3/ext4, HFS+, APFS, UFS, ISO 9660, and YAFFS2. Disk image support: raw (DD), EnCase (E01), AFF, VMDK, VDI. Tools: fsstat (file system details), mmls (partition table), fls (list files/directories), istat (file metadata), icat (extract file content by inode), blkstat, blkls. Body file generation for timeline analysis with mactime. Deleted file recovery: fls identifies deleted files and icat extracts their data from unallocated inodes. NTFS ADS (Alternate Data Streams) and MFT parsing. File carving integration with photorec and scalpel. Hash database integration with NSRL for known file identification. Autopsy: web-based GUI built on TSK with timeline analysis, keyword search, email analysis, registry analysis, web artifacts, and ingest module extensibility. Distributed processing for large cases. Cross-platform: Linux, macOS, Windows. IPL and Apache-2.0.