The Sleuth Kit (TSK) Framework User's Guide and API Reference

Overview

The framework in TSK makes it easier to build automated, end-to-end digital forensics applications. If you need only volume and file system-level support, then the original Sleuth Kit library may be all you need. If you want a more comprehensive disk image analysis solution, the framework will help. It's plug-in pipelines allow you to incorporate a variety of analysis techniques into your application.

The framework was designed to be used in a distributed environment so that jobs could be scheduled among a cluster of computers, but it can also be used to create desktop applications. The tsk_analyzeimg program provided with the Sleuth Kit is an example of a simple desktop program that uses the framework.

This document is for:

• Users of tools that leverage the framework.
• Developers who want to make modules for the framework.
• Developers who want to integrate the framework into a larger system.

Framework Overview

The following pages contain an overview of the framework. Both users and developers should be familiar with this content.

• Basic Framework Concepts
• Pipeline and Module Basics
• The Blackboard

Developers Guide to Building Modules

The following pages are relevant when developing modules to be used in the framework.

• Developing Modules
• Example Modules
• SQLite Image Database Schema v1.5

Developers Guide to Using the Framework

The following pages are relevant when integrating the framework into a new or existing application.

• Setting up the Image Analysis Process Infrastructure
• Extraction Phase and Populating the Database
• Running File Analysis and Post Processing Pipelines
• Example Framework Use Cases

Application developers may also wish to examine the source code for tsk_analyzeimg, which is included with the framework. It is a single-threaded command line program that analyzes a disk image using the framework's pipeline infrastructure to run a file analysis pipeline and a post-processing pipeline.