The Sleuth Kit
The Sleuth Kit (previously known as TASK) is an open source, freely distributed and multiplatform software project implemented in C/C++ and comprises of a set of utilities for investigating UNIX-like file systems.
Supports a wide range of file systems
In other words, it is a collection of file system forensics tools that allow users to view deleted and allocated data from various Linux, Mac, BSD, Solaris or Windows file systems, including EXT2, EXT3, EXT4, NTFS, FAT16, FAT32, HFS+, ISO9660, UFS 1, UFS 2, and FFS.
The Sleuth Kit is engineered in such a way that it allows the analization of raw, Expert Witness and AFF disk images and file systems. In addition, it creates time lines of file activity, displays details and contents of all NTFS attributes, and much more.
Getting started with The Sleuth Kit
To install and use the The Sleuth Kit project on your GNU/Linux computer, you should try and search for a pre-built package in the main software repositories of your distribution. If you can’t find it there, download the latest version of the program from Softpedia, where it is distributed for free as a universal source package.
Save the TAR archive (tarball) somewhere on your computer, unpack it using any graphical or command-line archive manager utility, open a terminal emulator app, go to the location of the extracted archive files (e.g. cd /home/softpedia/sleuthkit-4.1.3) and run the ‘./configure && make’ command to configure and compile the project.
After a successful compilation, execute the ‘make install’ command as root or the ‘sudo make install’ command as a privileged user to install the software system wide and make it available to all users on your machine. Please note that it has been successfully tested on 64-bit (x86_64) and 32-bit (x86) computers.