sleuthkit  4.6.6
About: The Sleuth Kit is a forensic toolkit for analyzing Microsoft and UNIX file systems and disks.
  Fossies Dox: sleuthkit-4.6.6.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

Some Fossies usage hints in advance:

  1. To see the Doxygen generated documentation please click on one of the items in the "quick index" bar above or use the side panel at the left which displays a hierarchical tree-like index structure and is adjustable in width.
  2. If you want to search for something by keyword rather than browse for it you can use the client side search facility (using Javascript and DHTML) that provides live searching, i.e. the search results are presented and adapted as you type in the Search input field at the top right.
  3. Doxygen doesn't incorporate all member files but just a definable subset (basically the main project source code files that are written in a supported language). So to search and browse all member files you may visit the Fossies sleuthkit-4.6.6.tar.gz contents page and use the Fossies standard member browsing features (also with source code highlighting and additionally with optional code folding).
The Sleuth Kit (TSK) Framework User's Guide and API Reference


The framework in TSK makes it easier to build automated, end-to-end digital forensics applications.
If you need only volume and file system-level support, then the original Sleuth Kit library may be all you need.
If you want a more comprehensive disk image analysis solution, the framework will help. It's plug-in pipelines allow you to incorporate a variety of analysis techniques into your application.

The framework was designed to be used in a distributed environment so that jobs could be scheduled among a cluster of computers, but it can also be used to create desktop applications. The tsk_analyzeimg program provided with the Sleuth Kit is an example of a simple desktop program that uses the framework.

This document is for:

  • Users of tools that leverage the framework.
  • Developers who want to make modules for the framework.
  • Developers who want to integrate the framework into a larger system.

Framework Overview

The following pages contain an overview of the framework. Both users and developers should be familiar with this content.

Developers Guide to Building Modules

The following pages are relevant when developing modules to be used in the framework.

Developers Guide to Using the Framework

The following pages are relevant when integrating the framework into a new or existing application.

Application developers may also wish to examine the source code for tsk_analyzeimg, which is included with the framework.
It is a single-threaded command line program that analyzes a disk image using the framework's pipeline infrastructure to run a file analysis pipeline and a post-processing pipeline.