The program The Sleuth Kit is a collection of forensic tools that can be used to take a closer look at the hard drive. This makes it possible to recover or partially view deleted files. Support for ntfs, fat, exfat, ufs1, ufs2, ext2fs, ext3fs, etx4, hfs, yaffs2, and iso 9660 formats is provided. For more information, please refer to this page. The developers recently released version 4.8.0 with the following changes:
The Sleuth Kit 4.8.0
- Pool layer was added to support APFS. NOTE: API is likely to change.
- Limited APFS support added in libtsk and some of the command line tools.
— Encryption support is not complete.
— Black Bag Technologies submitted the initial PR. Basis Technology did some minor refactoring.
- Refactoring and minor fixes to logical imager
- Various bug fixes from Google fuzzing efforts and Jonathan B from Afarsec
- Fixed infinite NTFS loop from cyclical attribute lists. Reported by X.
- File system bug fixes from uckelman-sf on github
- DB schema was updated to support pools
- Added concept of JSON in Blackboard Attributes
- Schema supports cascading deletes to enable data source deletion
- Added Pool class and associated infrastructure
- Added methods to support deleting data sources from database
- Removed JavaFX as a dependency by refactoring the recently introduced timeline filtering classes.
- Added attachment support to the blackboard helper package.
|Operating systems||Windows 7, Linux, BSD, macOS, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8, Windows 10, Windows Server 2016|
|Website||The Sleuth Kit|
|License type||Conditions (GNU/BSD/etc.)|