The Sleuth Kit (TSK) is a fairly comprehensive collection of tools for analyzing and recovering files from disk images, useful for postmortem computer forensics in a corporate investigation of unauthorized use, an issue of workplace harassment, or a criminal investigation by law enforcement. TSK is the tool to use to dig deep into the disk.
When it comes to forensics at the file system level, TSK combines a number of command-line utilities (including
fls to display file names within a file system,
fsstat to show file system statistical data, and
ils to list metadata entries, among others) with support for common file systems (including NTFS, FAT, ExFAT, UFS, EXT, and HFS), allowing you to examine Windows, many Linux, and most Mac OS X systems. Need to go deeper? TSK also allows you to drill down to the bits of a hard disk image to see what may be hidden within.
Working hand in glove with TSK is Autopsy, a GUI-based tool for searching disk images. Autopsy, by default, will search for recent user activity, email, pictures, IP addresses, phone numbers, URLs, and other interesting file types and tidbits. You can have Autopsy search for specific keywords and regex strings, or use it to dredge up files that contain audio or video, a plethora of document types, or any number of executable file types.
Between TSK and Autopsy, you can be sure that any disk you examine will reveal its secrets.
-- Victor R. Garza