Forensics - Sleuthkit and Autopsy

Linux CLI command reference for Sleuthkit

Determine the filesystem and offset
mmls [image]
fsstat -o [offset in sectors] [image]
File Name layer
General syntax: [command] -o [offset] -f [filesystem] [image] 
Command
Information
fls
List allocated and deleted filenames (-r; -d; "/path"; -m timeline)
ffind
Search by filename (-a all names)
Metadata layer
General syntax: [command] -o [offset] -f [filesystem] [image] 
Command
Information
ils
List inode information (-r default removed only; -m mactime data; -e all inodes; -o find w/out filename; -z never used)
istat
View details of an inode
icat
Extract data at an inode
ifind
Find the inode corresponding to a data block (-d)
Data Unit layer
General syntax: [command] -o [offset] -f [filesystem] [image] 
Command
Information
blkls
List data blocks and details
blkstat
View details of a data block (-h)
blkcat
Extract contents of a data block
blkcalc
​
Other
Command
Information
mactime
Create a timeline from f/i tools (pipe to mactime -b) 
References
​The Forensic-Cheat-Sheet for Linux and TSK​

Hacker Mode - Previous

CMD and Powershell

PWN, Assembly, and Smashing the Stack

Last modified 1yr ago

Command	Information
fls	List allocated and deleted filenames (-r; -d; "/path"; -m timeline)
ffind	Search by filename (-a all names)

Command	Information
ils	List inode information (-r default removed only; -m mactime data; -e all inodes; -o find w/out filename; -z never used)
istat	View details of an inode
icat	Extract data at an inode
ifind	Find the inode corresponding to a data block (-d)

Command	Information
blkls	List data blocks and details
blkstat	View details of a data block (-h)
blkcat	Extract contents of a data block
blkcalc

Command	Information
mactime	Create a timeline from f/i tools (pipe to mactime -b)