Wednesday, November 3, 2010

Sleuthkit 3.2.0 Released

A new version of The Sleuth Kit (TSK), a command line forensics tool set for both Linux and Windows, was released a few days ago.  This release brings new automation tools that can greatly speed processing.  Brian Carrier, the developer, describes the release thusly:
New features include:
   • New tsk_recover tool that extracts files from an image to a local directory.
   • New tsk_loaddb tool that dumps file system metadata to SQLite database.
   • New tsk_getimes tool that collects MAC time data on all file systems (equivalent to fls -m on a series of volumes)
   • New tsk_comparedir tool that compares a directory to an image to detect rootkits.
   • New C++ TskAuto class that makes it easier to create automated tools that analyze all files.
   • Name cleanup out of libraries and into tools.
   • img_cat -e and -s flags.
   • Changed how default NTFS $Data attribute is named.
   • HFS+ Case sensitive flag in fsstat.

Bug fixes include:
   • FAT performance
   • Crash fix for corrupt NTFS file
   • Adding attribute runs on fragmented files with multiple attributes of the same type.
I can personally attest to the benefits of the tsk_loaddb tool.  It very quickly creates a sqlite database containing file system metadata for each volume in the forensic image.  The database can be queried for any data sought in a fraction of the time it takes to read a file system itself.

A knowledge of  basic sqlite commands is essential to take advantage of the database, but with that knowledge, it is quite easy to script tools for your use.  For example, I wrote a shell script that reads the database and automatically mounts all the partitions read-only for quick evaluation.  This, of course, is only one small way that data can be used.

For a concise overview of all the tools that TSK has to offer, take a look at the wiki located here.