Skip to content
Python bindings for The Sleuth Kit (libtsk)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
dpkg Changes for sdist configuration May 7, 2019
patches Updated to Sleuthkit 4.6.6 (#41) May 6, 2019
sleuthkit @ 83edeb5 Updated to Sleuthkit 4.6.6 (#41) May 6, 2019
talloc Changes to talloc.c Jul 31, 2017
test_data Worked on tests. Dec 23, 2014
tests Changes to and for linting May 26, 2017
travis Changes to Travis CI tests (#43) May 10, 2019
.gitignore Added tox.ini and ran update Feb 26, 2016
.travis.yml Changes to Travis CI tests (#43) May 10, 2019
LICENSE Changes to Travis CI tests (#43) May 10, 2019
README Added use-head option for update Jan 3, 2019
aff4_errors.h Added force build with c99 support Jul 31, 2017
class.c Removed PYTSK_INLINE Jul 31, 2017
class.h Removed PYTSK_INLINE Jul 31, 2017
error.c Fixed various issues regarding memory management and object referencing. Feb 8, 2014 Updated dpkg files. Jan 11, 2015
tox.ini Added tox.ini and ran update Feb 26, 2016
tsk3.c Changes for debugging (#42) May 6, 2019
tsk3.h Removed creation of additional external img info and bug fixes. Mar 20, 2014
version.txt Changes for sdist configuration May 7, 2019


pytsk is a Python binding for the SleuthKit.

The SleuthKit is a complete filesystem analysis tool. In the past
PyFlag shipped a Python binding for a statically compiled version
which was incorporated in the PyFlag source tree (Version 2.78). That
version is now very old and does not support HFS+ which SleuthKit 3.1
does. At the time there were some important functions that we needed
to link to but the old libtsk (the shared object produced by older
SleuthKit binaries) did not export these - which is the reason for
incorporating a slightly modified version in the source tree.

These days things are much better - libtsk is designed to be a
general purpose library with many useful functions linked in. The
overall architecture has been tremendously improved and it is now very
easy to use it from an external program.

This is a Python binding against the libtsk shared object. Our aim is
to make the binding reflect the TSK API as much as possible in
capabilities, while at the same time having a nice Pythonic OO


The new binding just links to libtsk which should make it easier to
maintain against newer versions. We should be able to rewrite all the
SleuthKit tools in Python (using the library and bindings) as a
demonstration of what is possible with the new bindings. This page
documents how to use the binding from a practical point of view - we
want to show examples of how to do some common tasks. There are lots
of sample programs in the samples directory to demonstrate how these
bindings can be used.

If downloaded pytsk using git you'll have to first run:

python update

If you want to use the latest version of Sleuthkit that is checked into git
(also known as HEAD), instead of the currently supported version, you can run:

python update --use-head

To build the bindings just use the standard Python distutils method:

python build
python install

At the top level of the source tree.

The Python binding is autogenerated from the libtsk header files
using a small OO C shim. This means that most of the fields in many of
the structs are already available. We aim to provide most of the
functionality using this shim (e.g. traversing and iterating over
lists etc). The authoritative source of documentation is the library
API linked above.

You can’t perform that action at this time.