The Sleuth Kit Cheat Sheet
CLI forensic toolkit to analyze disk images — partition tables, inode listing, and file carving without GUI.
Overview
The Sleuth Kit (TSK) provides command-line tools to examine filesystem metadata on raw/E01 images. Faster than Autopsy for scripted extraction when you know inode or path offsets.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y sleuthkit ewf-toolsVerify
mmls -VEssential commands
Partition layout
mmls disk.imgmmls -t dos disk.imgFilesystem stats (find offset for -o)
fsstat -o 2048 disk.imgList files (inode listing)
fls -o 2048 disk.imgfls -r -o 2048 disk.img | grep -i passwdCommon workflows
Convert or use directly (ewfmount)
ewfmount image.E01 /mnt/ewf/mmls /mnt/ewf/ewf1fsstat -o 2048 /mnt/ewf/ewf1fls -o 2048 -r /mnt/ewf/ewf1 > filelist.txtExtract file by inode —
fls -o 2048 -r disk.img | grep 'secret.docx'Note inode e.g. 12345
icat -o 2048 disk.img 12345 > secret.docxDeleted file recovery —
fls -o 2048 -d disk.img # deleted onlyils -o 2048 disk.img # inode metadatatsk_recover -o 2048 disk.img ./recovered/Timeline (bodyfile → mactime) —
fls -r -m / -o 2048 disk.img > body.txtmactime -b body.txt -d > timeline.csvHash known files —
md5sum icat -o 2048 disk.img 12345hfind -e md5sum.txt # hash database lookup (if configured)Flags reference
mmls | Partition table |
|---|---|
fsstat | Superblock / FS info |
fls | List directory entries |
ils | List inode metadata |
icat | Export file content by inode |
istat | Inode details |
tsk_recover | Recover deleted files to dir |
-o OFF | Sector offset to filesystem |
-f fstype | Force NTFS, ext4, etc. |
Tips
- Offset from mmls Start column (sectors) — use same in all -o commands.
- NTFS: ifind -n /Windows/System32/config/SAM -o OFF disk.img then icat.
- Combine with Autopsy GUI for same backend, easier filtering.
- Always verify exports with file and hashes for chain of custody.