Permalink
Browse files

initial import from CVS

  • Loading branch information...
0 parents commit 3a78df5c010fde1b12ecec914bf4caa549565e55 @bcarrier bcarrier committed Sep 28, 2008
Showing with 72,131 additions and 0 deletions.
  1. +1,528 −0 CHANGES.txt
  2. +88 −0 INSTALL.txt
  3. +46 −0 Makefile.am
  4. +198 −0 README.txt
  5. +24 −0 README_win32.txt
  6. +190 −0 TODO.txt
  7. +5 −0 bootstrap
  8. +323 −0 config/install-sh
  9. +175 −0 configure.ac
  10. +2 −0 docs/Makefile.am
  11. +4 −0 docs/library-api.txt
  12. +25 −0 docs/nsrl.txt
  13. +5 −0 docs/other.txt
  14. +291 −0 docs/ref_fs.txt
  15. +158 −0 docs/ref_timeline.txt
  16. +121 −0 docs/skins_fat.txt
  17. +136 −0 docs/skins_iso9660.txt
  18. +233 −0 docs/skins_ntfs.txt
  19. +58 −0 docs/skins_windows.txt
  20. +343 −0 licenses/GNU-COPYING
  21. +221 −0 licenses/IBM-LICENSE
  22. +213 −0 licenses/cpl1.0.txt
  23. +4 −0 man/Makefile.am
  24. +77 −0 man/blkcalc.1
  25. +82 −0 man/blkcat.1
  26. +66 −0 man/blkls.1
  27. +40 −0 man/blkstat.1
  28. +8 −0 man/build-html
  29. +38 −0 man/disk_sreset.1
  30. +37 −0 man/disk_stat.1
  31. +57 −0 man/ffind.1
  32. +127 −0 man/fls.1
  33. +44 −0 man/fsstat.1
  34. +148 −0 man/hfind.1
  35. +61 −0 man/icat.1
  36. +68 −0 man/ifind.1
  37. +136 −0 man/ils.1
  38. +27 −0 man/img_cat.1
  39. +28 −0 man/img_stat.1
  40. +53 −0 man/istat.1
  41. +48 −0 man/jcat.1
  42. +42 −0 man/jls.1
  43. +70 −0 man/mactime.1
  44. +39 −0 man/mmcat.1
  45. +76 −0 man/mmls.1
  46. +37 −0 man/mmstat.1
  47. +50 −0 man/sigfind.1
  48. +294 −0 man/sorter.1
  49. +1 −0 samples/.indent.pro
  50. +14 −0 samples/Makefile.am
  51. +315 −0 samples/callback-style.cpp
  52. +349 −0 samples/posix-style.cpp
  53. +1 −0 tests/.indent.pro
  54. +15 −0 tests/Makefile.am
  55. +307 −0 tests/fs_attrlist_apis.cpp
  56. +492 −0 tests/fs_fname_apis.cpp
  57. +732 −0 tests/read_apis.cpp
  58. +1 −0 tools/Makefile.am
  59. +1 −0 tools/disktools/.indent.pro
  60. +15 −0 tools/disktools/Makefile.am
  61. +80 −0 tools/disktools/disk_ide.h
  62. +145 −0 tools/disktools/disk_sreset.cpp
  63. +131 −0 tools/disktools/disk_stat.cpp
  64. +289 −0 tools/disktools/ide.c
  65. +1 −0 tools/fstools/.indent.pro
  66. +26 −0 tools/fstools/Makefile.am
  67. +222 −0 tools/fstools/blkcalc.cpp
  68. +337 −0 tools/fstools/blkcat.cpp
  69. +324 −0 tools/fstools/blkls.cpp
  70. +184 −0 tools/fstools/blkstat.cpp
  71. +206 −0 tools/fstools/ffind.cpp
  72. +302 −0 tools/fstools/fls.cpp
  73. +143 −0 tools/fstools/fscheck.cpp
  74. +166 −0 tools/fstools/fsstat.cpp
  75. +213 −0 tools/fstools/icat.cpp
  76. +316 −0 tools/fstools/ifind.cpp
  77. +360 −0 tools/fstools/ils.cpp
  78. +225 −0 tools/fstools/istat.cpp
  79. +228 −0 tools/fstools/jcat.cpp
  80. +208 −0 tools/fstools/jls.cpp
  81. +1 −0 tools/hashtools/.indent.pro
  82. +14 −0 tools/hashtools/Makefile.am
  83. +293 −0 tools/hashtools/hfind.cpp
  84. +79 −0 tools/hashtools/md5.c
  85. +96 −0 tools/hashtools/sha1.c
  86. +1 −0 tools/imgtools/.indent.pro
  87. +14 −0 tools/imgtools/Makefile.am
  88. +145 −0 tools/imgtools/img_cat.cpp
  89. +110 −0 tools/imgtools/img_stat.cpp
  90. +5 −0 tools/sorter/.perltidyrc
  91. +14 −0 tools/sorter/Makefile.am
  92. +1,758 −0 tools/sorter/sorter.base
  93. +1 −0 tools/srchtools/.indent.pro
  94. +15 −0 tools/srchtools/Makefile.am
  95. +337 −0 tools/srchtools/sigfind.cpp
  96. +669 −0 tools/srchtools/srch_strings.c
  97. +5 −0 tools/timeline/.perltidyrc
  98. +12 −0 tools/timeline/Makefile.am
  99. +842 −0 tools/timeline/mactime.base
  100. +1 −0 tools/vstools/.indent.pro
  101. +15 −0 tools/vstools/Makefile.am
  102. +183 −0 tools/vstools/mmcat.cpp
  103. +316 −0 tools/vstools/mmls.cpp
  104. +148 −0 tools/vstools/mmstat.cpp
  105. +14 −0 tsk3/Makefile.am
  106. +1 −0 tsk3/base/.indent.pro
  107. +14 −0 tsk3/base/Makefile.am
  108. +219 −0 tsk3/base/XGetopt.c
  109. +352 −0 tsk3/base/md5c.c
  110. +91 −0 tsk3/base/mymalloc.c
  111. +400 −0 tsk3/base/sha1c.c
  112. +390 −0 tsk3/base/tsk_base.h
  113. +318 −0 tsk3/base/tsk_base_i.h
  114. +76 −0 tsk3/base/tsk_endian.c
  115. +236 −0 tsk3/base/tsk_error.c
  116. +194 −0 tsk3/base/tsk_list.c
  117. +193 −0 tsk3/base/tsk_os.h
  118. +141 −0 tsk3/base/tsk_parse.c
  119. +128 −0 tsk3/base/tsk_printf.c
  120. +103 −0 tsk3/base/tsk_stack.c
  121. +422 −0 tsk3/base/tsk_unicode.c
  122. +46 −0 tsk3/base/tsk_version.c
  123. +1,429 −0 tsk3/docs/Doxyfile
  124. +47 −0 tsk3/docs/base.dox
  125. +74 −0 tsk3/docs/basics.dox
  126. +7 −0 tsk3/docs/footer.html
  127. +175 −0 tsk3/docs/fs.dox
  128. +27 −0 tsk3/docs/hashdb.dox
  129. +26 −0 tsk3/docs/img.dox
  130. +28 −0 tsk3/docs/main.dox
  131. +37 −0 tsk3/docs/vs.dox
  132. +1 −0 tsk3/fs/.indent.pro
  133. +21 −0 tsk3/fs/Makefile.am
  134. +228 −0 tsk3/fs/dcalc_lib.c
  135. +235 −0 tsk3/fs/dcat_lib.c
  136. +237 −0 tsk3/fs/dls_lib.c
  137. +69 −0 tsk3/fs/dstat_lib.c
  138. +2,226 −0 tsk3/fs/ext2fs.c
  139. +378 −0 tsk3/fs/ext2fs_dent.c
  140. +585 −0 tsk3/fs/ext2fs_journal.c
  141. +1,699 −0 tsk3/fs/fatfs.c
  142. +750 −0 tsk3/fs/fatfs_dent.c
  143. +1,884 −0 tsk3/fs/fatfs_meta.c
  144. +126 −0 tsk3/fs/ffind_lib.c
  145. +2,120 −0 tsk3/fs/ffs.c
  146. +371 −0 tsk3/fs/ffs_dent.c
  147. +253 −0 tsk3/fs/fls_lib.c
  148. +1,164 −0 tsk3/fs/fs_attr.c
  149. +366 −0 tsk3/fs/fs_attrlist.c
  150. +199 −0 tsk3/fs/fs_block.c
  151. +893 −0 tsk3/fs/fs_dir.c
  152. +506 −0 tsk3/fs/fs_file.c
  153. +205 −0 tsk3/fs/fs_inode.c
  154. +110 −0 tsk3/fs/fs_io.c
  155. +43 −0 tsk3/fs/fs_load.c
  156. +565 −0 tsk3/fs/fs_name.c
  157. +264 −0 tsk3/fs/fs_open.c
  158. +117 −0 tsk3/fs/fs_parse.c
  159. +154 −0 tsk3/fs/fs_types.c
  160. +2,889 −0 tsk3/fs/hfs.c
  161. +557 −0 tsk3/fs/hfs_dent.c
  162. +39 −0 tsk3/fs/hfs_journal.c
  163. +597 −0 tsk3/fs/hfs_unicompare.c
  164. +99 −0 tsk3/fs/icat_lib.c
  165. +630 −0 tsk3/fs/ifind_lib.c
  166. +290 −0 tsk3/fs/ils_lib.c
  167. +2,289 −0 tsk3/fs/iso9660.c
  168. +287 −0 tsk3/fs/iso9660_dent.c
  169. +275 −0 tsk3/fs/nofs_misc.c
  170. +4,611 −0 tsk3/fs/ntfs.c
  171. +1,290 −0 tsk3/fs/ntfs_dent.c
  172. +95 −0 tsk3/fs/rawfs.c
  173. +93 −0 tsk3/fs/swapfs.c
  174. +447 −0 tsk3/fs/tsk_ext2fs.h
  175. +387 −0 tsk3/fs/tsk_fatfs.h
  176. +503 −0 tsk3/fs/tsk_ffs.h
  177. +988 −0 tsk3/fs/tsk_fs.h
  178. +242 −0 tsk3/fs/tsk_fs_i.h
  179. +446 −0 tsk3/fs/tsk_hfs.h
  180. +533 −0 tsk3/fs/tsk_iso9660.h
  181. +699 −0 tsk3/fs/tsk_ntfs.h
  182. +388 −0 tsk3/fs/unix_misc.c
  183. +1 −0 tsk3/hashdb/.indent.pro
  184. +12 −0 tsk3/hashdb/Makefile.am
  185. +465 −0 tsk3/hashdb/hk_index.c
  186. +67 −0 tsk3/hashdb/idxonly_index.c
  187. +386 −0 tsk3/hashdb/md5sum_index.c
  188. +626 −0 tsk3/hashdb/nsrl_index.c
  189. +1,161 −0 tsk3/hashdb/tm_lookup.c
  190. +159 −0 tsk3/hashdb/tsk_hashdb.h
  191. +93 −0 tsk3/hashdb/tsk_hashdb_i.h
  192. +1 −0 tsk3/img/.indent.pro
  193. +12 −0 tsk3/img/Makefile.am
  194. +301 −0 tsk3/img/aff.c
  195. +35 −0 tsk3/img/aff.h
  196. +229 −0 tsk3/img/ewf.c
  197. +46 −0 tsk3/img/ewf.h
  198. +141 −0 tsk3/img/img_io.c
  199. +455 −0 tsk3/img/img_open.c
  200. +140 −0 tsk3/img/img_types.c
  201. +296 −0 tsk3/img/raw.c
  202. +36 −0 tsk3/img/raw.h
  203. +420 −0 tsk3/img/split.c
  204. +48 −0 tsk3/img/split.h
  205. +119 −0 tsk3/img/tsk_img.h
  206. +35 −0 tsk3/img/tsk_img_i.h
  207. +10 −0 tsk3/libtsk.h
  208. +181 −0 tsk3/sorter/default.sort
  209. +54 −0 tsk3/sorter/freebsd.sort
  210. +29 −0 tsk3/sorter/images.sort
  211. +50 −0 tsk3/sorter/linux.sort
  212. +54 −0 tsk3/sorter/openbsd.sort
  213. +51 −0 tsk3/sorter/solaris.sort
  214. +111 −0 tsk3/sorter/windows.sort
  215. +161 −0 tsk3/tsk_config.h.in
  216. +10 −0 tsk3/tsk_incs.h
  217. +14 −0 tsk3/tsk_tools_i.h
  218. +1 −0 tsk3/vs/.indent.pro
  219. +13 −0 tsk3/vs/Makefile.am
  220. +241 −0 tsk3/vs/bsd.c
  221. +1,046 −0 tsk3/vs/dos.c
  222. +277 −0 tsk3/vs/gpt.c
  223. +192 −0 tsk3/vs/mac.c
  224. +98 −0 tsk3/vs/mm_io.c
  225. +178 −0 tsk3/vs/mm_open.c
  226. +290 −0 tsk3/vs/mm_part.c
  227. +133 −0 tsk3/vs/mm_types.c
  228. +361 −0 tsk3/vs/sun.c
  229. +80 −0 tsk3/vs/tsk_bsd.h
  230. +48 −0 tsk3/vs/tsk_dos.h
  231. +64 −0 tsk3/vs/tsk_gpt.h
  232. +55 −0 tsk3/vs/tsk_mac.h
  233. +121 −0 tsk3/vs/tsk_sun.h
  234. +145 −0 tsk3/vs/tsk_vs.h
  235. +44 −0 tsk3/vs/tsk_vs_i.h
  236. +28 −0 win32/BUILDING.txt
  237. +191 −0 win32/blkcalc/blkcalc.vcproj
  238. +191 −0 win32/blkcat/blkcat.vcproj
  239. +191 −0 win32/blkls/blkls.vcproj
  240. +191 −0 win32/blkstat/blkstat.vcproj
  241. +191 −0 win32/callback-sample/callback-sample.vcproj
  242. +191 −0 win32/ffind/ffind.vcproj
  243. +191 −0 win32/fls/fls.vcproj
  244. +191 −0 win32/fsstat/fsstat.vcproj
  245. +191 −0 win32/hfind/hfind.vcproj
  246. +191 −0 win32/icat/icat.vcproj
  247. +191 −0 win32/ifind/ifind.vcproj
  248. +191 −0 win32/ils/ils.vcproj
  249. +191 −0 win32/img_cat/img_cat.vcproj
  250. +191 −0 win32/img_stat/img_stat.vcproj
  251. +191 −0 win32/istat/istat.vcproj
  252. +191 −0 win32/jcat/jcat.vcproj
  253. +191 −0 win32/jls/jls.vcproj
  254. +223 −0 win32/libauxtools/libauxtools.vcproj
  255. +357 −0 win32/libfstools/libfstools.vcproj
  256. +199 −0 win32/libhashdbtools/libhashdbtools.vcproj
  257. +213 −0 win32/libimgtools/libimgtools.vcproj
  258. +225 −0 win32/libmmtools/libmmtools.vcproj
  259. +191 −0 win32/mmcat/mmcat.vcproj
  260. +191 −0 win32/mmls/mmls.vcproj
  261. +191 −0 win32/mmstat/mmstat.vcproj
  262. +191 −0 win32/posix-sample/posix-sample.vcproj
  263. +281 −0 win32/tsk-win.sln
1,528 CHANGES.txt

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -0,0 +1,88 @@
+ The Sleuth Kit
+ http://www.sleuthkit.org/sleuthkit
+
+ Installation Instructions
+
+ Last Modified: Sept 2008
+
+
+REQUIREMENTS
+=============================================================================
+Tested Platform:
+- FreeBSD 2-6.*
+- Linux 2.*
+- OpenBSD 2-3.*
+- Mac OS X
+- SunOS 4-5.*
+- Windows
+
+System:
+- C compiler
+- GNU Make
+
+Optional Programs:
+- Autopsy: Provides a graphical HTML-based interface to The
+Sleuth Kit (which makes it much easier to use). Install this AFTER
+installing The Sleuth Kit.
+ Available at: http://www.sleuthkit.org/autopsy
+
+Optional Libraries:
+There are optional features that TSK can use if you have installed
+them before you build and install TSK.
+
+- AFFLIB: Allows you to process disk images that are stored in the
+AFF format. Version 3.2.5 has been tested to compile and work with this
+release.
+ Available at: http://www.afflib.org
+
+- LibEWF: Allows you to process disk images that are stored in the
+Expert Witness format (EnCase Format). Version 20080501 has been
+tested to compile and work with this release.
+ Available at: https://www.uitwisselplatform.nl/projects/libewf/
+
+
+
+INSTALLATION
+=============================================================================
+
+Refer to the README_win32.txt file for details on Windows.
+
+The Sleuth Kit uses the GNU autotools for building and installation.
+There are a few steps to this process. First, run the 'configure'
+script in the root TSK directory.
+
+ $ ./configure
+
+If there were no errors, then run 'make'.
+
+ $ make
+
+The 'make' process will take a while and will build the TSK tools.
+When this process is complete, the libraries and executables will
+be located in the TSK sub-directories. To install them, type
+'make install'.
+
+ $ make install
+
+By default, this will copy everything in to the /usr/local/ structure.
+So, the executables will be in '/usr/local/bin'. This directory will
+need to be in your PATH if you want to run the TSK commands without
+specifying '/usr/local/bin' everytime.
+
+
+CONFIGURE OPTIONS
+-----------------------------------------------------------------------------
+There are some arguments to 'configure' that you can supply to
+customize the setup. Currently, they focus on the optional disk
+image format libraries.
+
+--disable-afflib: Supply this if you want TSK to ignore AFFLIB even
+if it is installed.
+
+--disable-ewf: Supply this if you want TSK to ignore libewf even
+if it is installed.
+
+
+-----------------------------------------------------------------------------
+Brian Carrier
+carrier <at> sleuthkit <dot> org
@@ -0,0 +1,46 @@
+# Files that we want to include in the dist
+EXTRA_DIST = README_win32.txt README.txt INSTALL.txt TODO.txt CHANGES.txt \
+ licenses/GNU-COPYING licenses/IBM-LICENSE licenses/cpl1.0.txt \
+ docs/library-api.txt \
+ win32/BUILDING.txt \
+ win32/blkcalc/blkcalc.vcproj win32/blkcat/blkcat.vcproj \
+ win32/blkls/blkls.vcproj win32/blkstat/blkstat.vcproj \
+ win32/ffind/ffind.vcproj win32/fls/fls.vcproj \
+ win32/fsstat/fsstat.vcproj win32/hfind/hfind.vcproj \
+ win32/icat/icat.vcproj win32/ifind/ifind.vcproj \
+ win32/ils/ils.vcproj win32/img_cat/img_cat.vcproj \
+ win32/img_stat/img_stat.vcproj \
+ win32/istat/istat.vcproj win32/jcat/jcat.vcproj \
+ win32/jls/jls.vcproj win32/mmls/mmls.vcproj \
+ win32/mmstat/mmstat.vcproj win32/mmcat/mmcat.vcproj \
+ win32/tsk-win.sln \
+ win32/libauxtools/libauxtools.vcproj \
+ win32/libfstools/libfstools.vcproj \
+ win32/libhashdbtools/libhashdbtools.vcproj \
+ win32/libimgtools/libimgtools.vcproj \
+ win32/libmmtools/libmmtools.vcproj \
+ win32/posix-sample/posix-sample.vcproj \
+ win32/callback-sample/callback-sample.vcproj
+
+
+# directories to compile
+SUBDIRS = tsk3 tools tests samples docs man
+
+nobase_include_HEADERS = tsk3/libtsk.h tsk3/tsk_incs.h \
+ tsk3/base/tsk_base.h tsk3/base/tsk_os.h \
+ tsk3/img/tsk_img.h tsk3/vs/tsk_vs.h \
+ tsk3/vs/tsk_bsd.h tsk3/vs/tsk_dos.h tsk3/vs/tsk_gpt.h \
+ tsk3/vs/tsk_mac.h tsk3/vs/tsk_sun.h \
+ tsk3/fs/tsk_fs.h tsk3/fs/tsk_ffs.h tsk3/fs/tsk_ext2fs.h tsk3/fs/tsk_fatfs.h \
+ tsk3/fs/tsk_ntfs.h tsk3/fs/tsk_iso9660.h tsk3/fs/tsk_hfs.h \
+ tsk3/hashdb/tsk_hashdb.h
+
+nobase_dist_data_DATA = tsk3/sorter/default.sort tsk3/sorter/freebsd.sort \
+ tsk3/sorter/images.sort tsk3/sorter/linux.sort tsk3/sorter/openbsd.sort \
+ tsk3/sorter/solaris.sort tsk3/sorter/windows.sort
+
+api-docs:
+ doxygen tsk3/docs/Doxyfile
+
+man-html:
+ cd man;build-html
@@ -0,0 +1,198 @@
+ The Sleuth Kit
+ README File
+
+ http://www.sleuthkit.org/sleuthkit
+
+ Last Modified: Sept 2008
+
+
+INTRODUCTION
+=============================================================================
+The Sleuth Kit is an open source forensic toolkit for analyzing
+Microsoft and UNIX file systems and disks. The Sleuth Kit enables
+investigators to identify and recover evidence from images acquired
+during incident response or from live systems. The Sleuth Kit is
+open source, which allows investigators to verify the actions of
+the tool or customize it to specific needs.
+
+The Sleuth Kit uses code from the file system analysis tools of
+The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The
+TCT code was modified for platform independence. In addition,
+support was added for the NTFS (see docs/ntfs.README) and FAT (see
+docs/fat.README) file systems. Previously, The Sleuth Kit was
+called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independant
+of any commercial or academic organizations.
+
+It is recommended that these command line tools can be used with
+the Autopsy Forensic Browser. Autopsy, (http://www.sleuthkit.org/autopsy),
+is a graphical interface to the tools of The Sleuth Kit and automates
+many of the procedures and provides features such as image searching
+and MD5 image integrity checks.
+
+As with any investigation tool, any results found with The Sleuth
+Kit should be be recreated with a second tool to verify the data.
+
+
+
+OVERVIEW
+=============================================================================
+The Sleuth Kit allows one to analyze a disk or file system image
+created by 'dd', or a similar application that creates a raw image.
+These tools are low-level and each performs a single task. When
+used together, they can perform a full analysis. For a more detailed
+description of these tools, refer to docs/filesystem.README. The
+tools are briefly described in a file system layered approach. Each
+tool name begins with a letter that is assigned to the layer.
+
+
+File System Layer:
+A disk contains one or more partitions (or slices). Each of these
+partitions contain a file system. Examples of file systems include
+the Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS),
+File Allocation Table (FAT), and New Technologies File System (NTFS).
+
+The fsstat tool displays file system details in an ASCII format.
+Examples of data in this display include volume name, last mounting
+time, and the details about each "group" in UNIX file systems.
+
+
+Content Layer (block):
+The content layer of a file system contains the actual file content,
+or data. Data is stored in large chunks, with names such as blocks,
+fragments, and clusters. All tools in this layer begin with the letters
+'blk'.
+
+The blkcat tool can be used to display the contents of a specific unit of
+the file system (similar to what 'dd' can do with a few arguments).
+The unit size is file system dependent. The 'blkls' tool displays the
+contents of all unallocated units of a file system, resulting in a
+stream of bytes of deleted content. The output can be searched for
+deleted file content. The 'blkcalc' program allows one to identify the
+unit location in the original image of a unit in the 'blkls' generated
+image.
+
+A new feature of The Sleuth Kit from TCT is the '-l' argument to
+'blkls' (or 'unrm' in TCT). This argument lists the details for data
+units, similar to the 'ils' command. The 'blkstat' tool displays
+the statistics of a specific data unit (including allocation status
+and group number).
+
+
+Metadata Layer (inode):
+The metadata layer describes a file or directory. This layer contains
+descriptive data such as dates and size as well as the addresses of the
+data units. This layer describes the file in terms that the computer
+can process efficiently. The structures that the data is stored in
+have names such as inode and directory entry. All tools in this layer
+begin with an 'i'.
+
+The 'ils' program lists some values of the metadata structures.
+By default, it will only list the unallocated ones. The 'istat'
+displays metadata information in an ASCII format about a specific
+structure. New to The Sleuth Kit is that 'istat' will display the
+destination of symbolic links. The 'icat' function displays the
+contents of the data units allocated to the metadata structure
+(similar to the UNIX cat(1) command). The 'ifind' tool will identify
+which metadata structure has allocated a given content unit or
+file name.
+
+Refer to the ntfs.README doc for information on addressing metadata
+attributes in NTFS.
+
+
+Human Interface Layer (file):
+The human interface layer allows one to interact with files in a
+manner that is more convenient than directly with the metadata
+layer. In some operating systems there are separate structures for
+the metadata and human interface layers while others combine them.
+All tools in this layer begin with the letter 'f'.
+
+The 'fls' program lists file and directory names. This tool will
+display the names of deleted files as well. The 'ffind' program will
+identify the name of the file that has allocated a given metadata
+structure. With some file systems, deleted files will be identified.
+
+
+Time Line Generation
+-----------------------------------------------------------------------------
+Time lines are useful to quickly get a picture of file activity.
+Using The Sleuth Kit a time line of file MAC times can be easily
+made. The mactime (TCT) program takes as input the 'body' file
+that was generated by fls and ils. To get data on allocated and
+unallocated file names, use 'fls -rm dir' and for unallocated inodes
+use 'ils -m'. Note that the behavior of these tools are different
+than in TCT. For more information, refer to docs/mac.README.
+
+
+Hash Databases
+-----------------------------------------------------------------------------
+Hash databases are used to quickly identify if a file is known. The
+MD5 or SHA-1 hash of a file is taken and a database is used to identify
+if it has been seen before. This allows identification to occur even
+if a file has been renamed.
+
+The Sleuth Kit includes the 'md5' and 'sha1' tools to generate
+hashes of files and other data.
+
+Also included is the 'hfind' tool. The 'hfind' tool allows one to create
+an index of a hash database and perform quick lookups using a binary
+search algorithm. The 'hfind' tool can perform lookups on the NIST
+National Software Reference Library (NSRL) (www.nsrl.nist.gov) and
+files created from the 'md5' or 'md5sum' command. Refer to the
+docs/hfind.README file for more details.
+
+
+File Type Categories
+-----------------------------------------------------------------------------
+Different types of files typically have different internal structure.
+The 'file' command comes with most versions of UNIX and a copy is
+also distributed with The Sleuth Kit. This is used to identify
+the type of file or other data regardless of its name and extension.
+It can even be used on a given data unit to help identify what file
+used that unit for storage. Note that the 'file' command typically
+uses data in the first bytes of a file so it may not be able to
+identify a file type based on the middle blocks or clusters.
+
+The 'sorter' program in The Sleuth Kit will use other Sleuth Kit
+tools to sort the files in a file system image into categories.
+The categories are based on rule sets in configuration files. The
+'sorter' tool will also use hash databases to flag known bad files
+and ignore known good files. Refer to the 'docs/sorter.README'
+file for more details.
+
+
+LICENSE
+=============================================================================
+The file system tools (in the src/fstools directory) are released
+under the IBM open source license and Common Public License, both
+are located in the license directory. The modifications to 'mactime'
+from the original 'mactime' in TCT and 'mac-daddy' are released
+under the Common Public License. Other tools in the src directory
+are either Common Public License or the GNU Public License.
+
+
+INSTALL
+=============================================================================
+For installation instructions, refer to the INSTALL document.
+
+
+OTHER DOCS
+=============================================================================
+The 'docs' directory contains documents that describe the provided tools
+in more detail. The Sleuth Kit Informer is a newsletter that contains
+new documentation and articles.
+
+ www.sleuthkit.org/informer/
+
+
+MAILING LIST
+=============================================================================
+Mailing lists exist on SourceForge, for both users and a low-volume
+announcements list.
+
+ http://sourceforge.net/mail/?group_id=55685
+
+
+-----------------------------------------------------------------------------
+Brian Carrier
+carrier <at> sleuthkit <dot> org
@@ -0,0 +1,24 @@
+ The Sleuth Kit
+ Win32 README File
+
+ http://www.sleuthkit.org/sleuthkit
+
+ Last Modified: Sept 2008
+
+====================================================================
+The Sleuth Kit (TSK) runs on Windows. If you simply want the
+executables, you can download them from the www.sleuthkit.org
+website.
+
+If you want to build your own executables, you have two options.
+One is to use Microsoft Visual Studio. The VS solution file is in
+the win32 directory. Refer to the BUILDING.txt file in that directory
+for details.
+
+You can also compile Windows executables on Linux using mingw32.
+Simply give the "--host=i586-mingw32msvc" argument when running the
+'./configure' script and use 'make' to compile.
+
+-------------------------------------------------------------------
+carrier <at> sleuthkit <dot> org
+Brian Carrier
Oops, something went wrong.

0 comments on commit 3a78df5

Please sign in to comment.