The Sleuth Kit (TSK)
A practical guide to the command-line forensic toolkit for digital investigations and incident response.
The Sleuth Kit (TSK) is a powerful open-source collection of command-line tools used for forensic analysis of disk images, file systems, and storage artifacts. Trusted by digital forensics professionals, incident responders, and law enforcement, TSK allows analysts to investigate deleted files, uncover hidden data, and reconstruct user activity from raw disk-level evidence. It serves as the engine behind many forensic platforms, including the popular Autopsy GUI.
Whether you're performing in-depth filesystem analysis or scripting repeatable forensic workflows, Sleuth Kit gives you fine-grained control over digital evidence examination.
First time seeing this?
What The Sleuth Kit Does
TSK enables low-level investigation of file systems and disk partitions without mounting them, preserving forensic integrity. It supports a wide range of file systems (e.g., NTFS, FAT, ext, HFS+, APFS) and provides tools for analyzing metadata, recovering deleted content, and identifying suspicious files or user activity. Each tool within the suite serves a specific purpose, allowing analysts to craft highly customized investigations.
It is especially useful in forensic labs, post-breach assessments, and incident response scenarios involving disk or image-based evidence.
Key Features of The Sleuth Kit
Filesystem Support
Analyzes file systems including NTFS, FAT12/16/32, exFAT, ext2/3/4, UFS1/2, HFS+, and APFS.
Partition Discovery and Analysis
Identifies partitions and volumes using tools like mmls and fsstat, even on corrupted disks.
Deleted File Recovery
Recovers files that have been deleted but not yet overwritten, using tools like fls and icat.
Metadata Inspection
Extracts timestamps, user permissions, and inode information from files and directories.
Timeline Creation
Builds a timeline of user and system activity using log2timeline or tools like mactime.
Keyword Searching
Scans raw disk images for text patterns or file signatures, helping locate contraband or indicators of compromise.
Automation-Ready
Command-line interface makes it ideal for scripting, automation, and integration with larger forensic pipelines.
Evidence Preservation
Reads directly from disk images without altering original data, maintaining forensic soundness.
Advanced Use Cases
Incident Response Investigations
Analyze endpoint disk images to trace attacker behavior, recover deleted malware, or inspect persistence mechanisms.
Law Enforcement and Legal Forensics
Recover incriminating evidence, metadata, and tampered files for use in criminal or civil litigation.
Malware Reverse Engineering
Identify hidden binaries, payloads, and artifacts dropped by malware in obscure filesystem locations.
Post-Breach Analysis
Extract browser history, USB activity, login records, and other forensic indicators after a compromise.
Security Training and CTFs
Used in digital forensics exercises and Capture the Flag competitions to teach forensic fundamentals.
Latest Updates
Recent enhancements to The Sleuth Kit include:
Improved APFS and HFS+ support for modern macOS systems
Extended metadata parsing and timestamp decoding
Bug fixes and performance updates across major tools
Better integration with third-party frameworks like Plaso, Autopsy, and Volatility
Community-supported extensions and documentation updates
Why It Matters
In digital investigations, raw access to disk and filesystem structures is critical. GUI-based tools may abstract too much, but TSK provides deep visibility and precise control over forensic evidence. It enables reproducible, court-admissible analysis while allowing advanced practitioners to tailor their approach. As digital evidence becomes increasingly complex, The Sleuth Kit remains a foundational tool for getting to the truth.
Requirements and Platform Support
The Sleuth Kit runs on:
Linux (recommended)
macOS
Windows (via WSL or compiled binaries)
It requires:
Basic familiarity with the command line
Disk images or storage devices (e.g., raw, E01) for analysis
Compatible dependencies (e.g., SQLite, libewf, libtsk)
The Sleuth Kit is open-source and available at https://www.sleuthkit.org/sleuthkit/, with extensive documentation, community support, and integration into popular forensic ecosystems like Autopsy and Plaso.