The Sleuth Kit Framework  4.1
Example Framework Use Cases


This section outlines some example uses of the framework.

Graphical Interface Environment

The framework could be used inside of a graphical interface application in a couple of ways. First, there are several tasks that should be applied to all files. A pipeline of those tasks could be created and run on every file automatically. To do so, one would use TskImageFile to populate the database, use TskSchedulerQueue to schedule the file analysis jobs, and then run a file analysis pipeline on each file. A post-processing / reporting pipeline could also be used, if needed.

Secondly, pipelines could be created for tasks and analysis techniques that should be applied only after some manual review. for these situations, the user could, for example, right click on the file and choose from the pipelines to run on the file. When this option is selected by the user, the file is passed to the file analysis pipeline chosen by the user.

Distributed Interface Environment

The framework can also be used in a distributed environment, although the current open source code does not currently support that setup out of the box.

In a distributed system, you would want a different implementation of TskImgDB other than the SQLite implementation. You would also want a Scheduler implementation other than the default queue version. After those custom changes, you could analyze sets of files in a file analysis pipeline or carve unallocated image files on different nodes in a cluster.

Copyright © 2011-2013 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.