The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file system and media management forensic analysis tools. The file system tools allow you to examine NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems of a suspect computer in a non-intrusive fashion. The tools have a layer-based design and can extract data from the internal file system structures. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.

The media management tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.

When performing a complete analysis of a system, we all know that command line tools can become tedious. The Autopsy Forensic Browser is a graphical interface to the tools in The Sleuth Kit, which allows you to more easily conduct an investigation. Autopsy provides case management, image integrity, keyword searching, and other automated operations.

The Sleuth Kit and Autopsy are both open source and free to download. Their combined features include:
 * View Allocated and Deleted Files and Directories

 * Access to low-level file system structures

 * Timeline of file activity

 * File category sorting and extension checking

 * Keyword searches including grep regular expressions

 * Graphic image identification and thumbnail creation

 * Hash database lookups including the NIST NSRL and Hash Keeper

 * Investigator notes

 * Report generation

Sleuth Kit Features:
 * Analyzes file system images generated by the 'dd' command, which is found on all UNIX systems and is available for Windows systems. This is a raw format and not proprietary.

 * Supports the NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems even when the host operating system does not or has a different endian ordering.

 * Displays both allocated and deleted file names

 * Displays the details file system structures

 * Displays the details and contents of all attributes for NTFS files. This includes all Alternate Data Streams and even the contents of the standard attributes such as $STANDARD_INFORMATION.

 * Creates timelines of file activity and can import logs and other time-based events. The timelines can be imported into a spread sheet to create graphs and reports. (Sleuth Kit Informer #5)

 * Time-based tools take a timezone and time skew as arguments so that you can view times as they existed on the original host.

 * Contains a hash lookup tool that creates an index of hash database files and performs quick lookups using a binary search algorithm. The tool supports the NIST NSRL, Hash Keeper, and custom databases that have been created with the 'md5sum' tool. (Sleuth Kit Informer #6, Sleuth Kit Informer #7)

 * Files can be organized based on their file type. For example, all graphic images and/or executables can be easily identified and examined. While they are being sorted, hash databases can be consulted to ignore known files (such as system files that are trusted) and to alert when known bad files are found (such as known rootkits or inappropriate photographs). The extensions of files are also verified to identify files that are being hidden. Pages of thumbnails can be made of graphic images for quick analysis. (Sleuth Kit Informer #3, #4, #5)