π
π
π
π
(Useful) Notes
Searchβ¦
Tools List
Hacker Mode
Nmap
SQL
Reverse Shells and SSH
File Transfer
Linux Privilege Escalation
Bash-fo
CMD and Powershell
Forensics - Sleuthkit and Autopsy
PWN, Assembly, and Smashing the Stack
Python
Python Quirks and Tricks
[Unfinished] NodeJS Quirks
Powered By
GitBook
Forensics - Sleuthkit and Autopsy
Linux CLI command reference for Sleuthkit
Determine the filesystem and offset
mmls [image]
fsstat -o [offset in sectors] [image]
File Name layer
General syntax:
[command] -o [offset] -f [filesystem] [image]
Command
Information
fls
List allocated and deleted filenames (
-r
;
-d
; "/path";
-m
timeline)
ffind
Search by filename (
-a
all names)
Metadata layer
General syntax:
[command] -o [offset] -f [filesystem] [image]
Command
Information
ils
List inode information (
-r
default removed only;
-m
mactime data;
-e
all inodes;
-o
find w/out filename;
-z
never used)
istat
View details of an inode
icat
Extract data at an inode
ifind
Find the inode corresponding to a data block (-d)
Data Unit layer
General syntax:
[command] -o [offset] -f [filesystem] [image]
Command
Information
blkls
List data blocks and details
blkstat
View details of a data block (-h)
blkcat
Extract contents of a data block
blkcalc
β
Other
Command
Information
mactime
Create a timeline from f/i tools (pipe to mactime -b)
References
β
The Forensic-Cheat-Sheet for Linux and TSK
β
Hacker Mode - Previous
CMD and Powershell
Next
PWN, Assembly, and Smashing the Stack
Last modified
1yr ago
Copy link
On this page