| layout | default | ||
|---|---|---|---|
| title | The Sleuth Kit commands | ||
| categories |
|
||
| redirect_from |
|
||
| last_modified | 2014-02-14 |
*blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers. *blkcat - Display the contents of file system data unit in a disk image. *blkls - List or output file system data units. *blkstat - Display details of a file system data unit (i.e. block or sector). *fcat - Output the contents of a file based on its name. *ffind - Finds the name of the file or directory using a given inode. *fiwalk - print the filesystem statistics and exit. *fls - List file and directory names in a disk image. *fsstat - Display general details of a file system. *hfind - Lookup a hash value in a hash database. *icat - Output the contents of a file based on its inode number. *ifind - Find the meta-data structure that has allocated a given disk unit or file name. *ils - List inode information. *img_cat - Output contents of an image file. *img_stat - Display details of an image file. *istat - Display details of a meta-data structure (i.e. inode). *jcat - Show the contents of a block in the file system journal. *jls - List the contents of a file system journal. *jpeg_extract - jpeg extractor. *mactime - Create an ASCII time line of file activity. *mmcat - Output the contents of a partition to stdout. *mmls - Display the partition layout of a volume system (partition tables). *mmstat - Display details about the volume system (partition tables). *sigfind - Find a binary signature in a file. *sorter - Sort files in an image into categories based on file type. *srch_strings - Display printable strings in files. *tsk_comparedir - compare the contents of a directory with the contents of an image or local device. *tsk_gettimes - Collect MAC times from a disk image into a body file. *tsk_loaddb - populate a SQLite database with metadata from a disk image. *tsk_recover - Export files from an image into a local directory.
*blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers. *blkcat - Display the contents of file system data unit in a disk image. *blkls - List or output file system data units. *blkstat - Display details of a file system data unit (i.e. block or sector). *ffind - Finds the name of the file or directory using a given inode. *fls - List file and directory names in a disk image. *fsstat - Display general details of a file system. *hfind - Lookup a hash value in a hash database. *icat-sleuthkit - Output the contents of a file based on its inode number. *ifind - Find the meta-data structure that has allocated a given disk unit or file name. *ils-sleuthkit - List inode information. *img_cat - Output contents of an image file. *img_stat - Display details of an image file. *istat - Display details of a meta-data structure (i.e. inode). *jcat - Show the contents of a block in the file system journal. *jls - List the contents of a file system journal. *mactime-sleuthkit - Create an ASCII time line of file activity. *mmcat - Output the contents of a partition to stdout. *mmls - Display the partition layout of a volume system (partition tables). *mmstat - Display details about the volume system (partition tables). *sigfind - Find a binary signature in a file. *sorter - Sort files in an image into categories based on file type. *srch_strings - Display printable strings in files.
The list put in this page was created by a shell Bash command to show the basic function of the each TSK command.
The command used (in Debian) was:
eriberto@canopus~$ dpkg -L sleuthkit | grep /usr/bin/ | cut -d"/" -f4 | sort | xargs whatis -l | sed 's/^/*/; s/ (1)/</strong>/; s/$/./' | tr -s . | tr -s " "
You should use the above command to refresh the list.
This page can be accessed through the following short url: http://bit.ly/tsk-commands.