sleuthkit  4.6.4
About: The Sleuth Kit is a forensic toolkit for analyzing Microsoft and UNIX file systems and disks.
  Fossies Dox: sleuthkit-4.6.4.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

The Sleuth Kit Java Bindings Developer's Guide and API Reference

Overview

These classes allow Java programs to access data extracted by The Sleuth Kit.

The Sleuth Kit is primarily a C/C++ library and set of command line tools. These classes allow programs to obtain the data that TSK can produce. The typical steps would be to use JNI to cause the TSK library to create and populate a SQLite or PostgreSQL database. The Java classes then directly open the database and perform queries on it.

Types of Classes

There are three broad types of classes in this package:

Basic Workflow

Adding Data to Case

To get data into the database (which is needed before you get it into a Java object), you need to call some org.sleuthkit.datamodel.SleuthkitCase methods.

To open or create a case, call org.sleuthkit.datamodel.SleuthkitCase.newCase() or org.sleuthkit.datamodel.SleuthkitCase.openCase().

To add a disk image to the case, use org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess() to get a org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess object that allows you to populate the database in the scope of a transaction and get feedback on its update process.

To add a local file (logical file) you can use methods such as org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().

Analyzing Data in Case

You can either access files directly using methods such as org.sleuthkit.datamodel.SleuthkitCase.findFiles() or org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById().

You can also access the data in its tree form by starting with org.sleuthkit.datamodel.SleuthkitCase.getImages() and then calling getChildren() on each of the returned objects. See the section below on basics of the datamodel structure.

Other Topics

  • The Blackboard is where analysis modules (such as those in Autopsy) can post and save their results.
  • Communications is where analysis modules can store and retrieve communications-related data.
  • Refer to Query the Database if you are going to use one of the SleuthkitCase methods that requires you to specify a query.
  • Refer to Inserting Data if you are a Sleuth Kit developer and want to avoid database issues.