The Sleuth Kit
Autopsy® and The Sleuth Kit® are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.
Examiners and analysts can use the Autopsy graphical interface or The Sleuth Kit (TSK) command line tools to conduct an investigation. Join the sleuthkit-users list to ask questions and help others.
Developers can write modules to extend the functionality of both Autopsy and TSK. Refer to the Autopsy Developer's Guide or the TSK Framework Module Writer's Guide for details on how to incorporate your tools into TSK and Autopsy.
If you need a custom, automated solution, then you can build one using the TSK libraries or the framework. We have also done research on using Hadoop to analyze disk images using cloud computing infrastructures.
- License Information: Several OpenSource, see reference page.
- License Ref: http://www.sleuthkit.org/sleuthkit/licenses.php
- Download: http://www.sleuthkit.org/sleuthkit/download.php
- Creating File Activity Timelines - http://wiki.sleuthkit.org/index.php?title=Timeline
- FS Analysis Techniques - http://wiki.sleuthkit.org/index.php?title=FS_Analysis
- Help Docs - http://wiki.sleuthkit.org/index.php?title=Help_Documents
- NTFS Implementation Notes - http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes