sleuthkit  4.7.0
About: The Sleuth Kit is a forensic toolkit for analyzing Microsoft and UNIX file systems and disks.
  Fossies Dox: sleuthkit-4.7.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

The Sleuth Kit (TSK) Framework User's Guide and API Reference


The framework in TSK makes it easier to build automated, end-to-end digital forensics applications.
If you need only volume and file system-level support, then the original Sleuth Kit library may be all you need.
If you want a more comprehensive disk image analysis solution, the framework will help. It's plug-in pipelines allow you to incorporate a variety of analysis techniques into your application.

The framework was designed to be used in a distributed environment so that jobs could be scheduled among a cluster of computers, but it can also be used to create desktop applications. The tsk_analyzeimg program provided with the Sleuth Kit is an example of a simple desktop program that uses the framework.

This document is for:

  • Users of tools that leverage the framework.
  • Developers who want to make modules for the framework.
  • Developers who want to integrate the framework into a larger system.

Framework Overview

The following pages contain an overview of the framework. Both users and developers should be familiar with this content.

Developers Guide to Building Modules

The following pages are relevant when developing modules to be used in the framework.

Developers Guide to Using the Framework

The following pages are relevant when integrating the framework into a new or existing application.

Application developers may also wish to examine the source code for tsk_analyzeimg, which is included with the framework.
It is a single-threaded command line program that analyzes a disk image using the framework's pipeline infrastructure to run a file analysis pipeline and a post-processing pipeline.