sleuthkit  4.3.0
About: The Sleuth Kit is a forensic toolkit for analyzing Microsoft and UNIX file systems and disks.
  Fossies Dox: sleuthkit-4.3.0.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

The Sleuth Kit Java Bindings Developer's Guide and API Reference


These classes allow Java programs to access data extracted by The Sleuth Kit.

The Sleuth Kit is primarily a C/C++ library and set of command line tools. These classes allow programs to obtain the data that TSK can produce. The typical steps would be to use JNI to cause the TSK library to create and populate a SQLite or PostgreSQL database. The Java classes then directly open the database and perform queries on it.


NOTE: This needs to be expanded on.

Adding Data to Case

Use SleuthkitCase.newCase() or SleuthkitCase.openCase() to return an instance of a SleuthkitCase object. To add data to the case, use SleuthkitCase.makeAdImageProcess() to get a AddImageProcess object that allows you to populate the database in the scope of a transaction and get feedback on its update process.

To add a local file (logical file) you can use methods such as SleuthkitCase.addLocalFile().

Analyzing Data in Case

You can either access files directly using methods such as SleuthkitCase.findFiles() or SleuthkitCase.getAbstractFileById().

You can also access the data in its tree form by starting with SleuthkitCase.getImages() and then calling getChildren() on each of the returned objects. See the section below on basics of the datamodel structure.

Class Hierarchy

Flush out here on general layout.

The Blackboard

The Blackboard

The Database

How to Query the Database
How to INSERT and UPDATE into the Database