The Sleuth Kit can be used in two ways. The C library can be incorporated into larger digital forensic tools and the command line tools can be used directly by a user.

Tools

This section can help you find information on using the command line tools that come with TSK. Tool documents can be broken into two categories: those that come with the tools and those that are on the Wiki. Here are some useful starting points on the Wiki:

• Help Documents
• Books and Courses on TSK

You can also subscribe to the Sleuth Kit Users e-mail list, which is a forum for discussing the tools.

The remainder of this page contains links to the documents that come with TSK. You can access the man pages from the Wiki.

Reference Documents

• File System Analysis Techniques
• File Activity Timelines

For a general file system reference, check out my File System Forensic Analysis book.

Sleuth Kit Implementation Notes (SKINs)

• FAT File System
• NTFS File System

C Library

The wiki contains information on how to use the library:

• Library User's Guide
• Developer's Guide