TSK – fls

Digital Forensics with The Sleuth Kit - fls

In The Sleuth Kit (TSK), “fls” is a command line tool used to recover or display information about the files and directories in a given image or file system. “fls” works by reading the file system metadata, such as the file allocation table (FAT) or inode tables, to locate the files and directories of interest. The tool then generates a list of file and directory names, along with other relevant information such as timestamps, inode numbers, and file sizes.

The “fls” tool is commonly used in digital forensics and incident response to quickly locate specific files or directories within an image or file system, or to generate a directory tree for analysis. The output of “fls” can be used in conjunction with other tools, such as “icat”, to recover or display the contents of specific files.

The Sleuth Kit Tools

TSK – fsstat

Digital Forensics with The Sleuth Kit - fsstat

In The Sleuth Kit (TSK), “fsstat” is a command line tool that provides information about the file system structure and metadata of a given image or file system. The “fsstat” command works by analyzing the file system metadata, such as the file system’s superblock and inode tables, to extract information about the file system layout, block size, total size, and other relevant details.

This information is then displayed to the user, providing a high-level overview of the file system and its characteristics. “fsstat” is commonly used in digital forensics and incident response to quickly gain an understanding of the file system and to identify any unusual or suspicious characteristics that may indicate a security incident.

The Sleuth Kit Tools

TSK – icat

Digital Forensics with The Sleuth Kit - icat

In The Sleuth Kit (TSK), “icat” is a command line tool used to recover or display the contents of a specific file or data object in a given image or file system. The “icat” tool works by reading the file system metadata to locate the file or data object of interest and then reading the raw data associated with that object.

The contents of the file can then be displayed to the user or saved to disk. “icat” is commonly used in digital forensics and incident response to recover deleted or damaged files, or to retrieve specific data of interest for analysis.

The Sleuth Kit Tools