SANS Digital Forensics and Incident Response Blog: Tag - The Sleuth Kit

Digital Forensic SIFTing: String Searching and File Carving using srch_strings_wrap

The latest version of the SIFT 2.12contains a few scripts I wrote, and Rob asked me to write a post for the blog going over their functionality. The scripts add on to the functionality provided by The Sleuth Kit's srch_strings to provide additional information on string matches and automatically carve out matching files or blocks. … Continue reading Digital Forensic SIFTing: String Searching and File Carving using srch_strings_wrap

Digital Forensics Case Leads: The Gauntlet Edition

Greetings Forensicators, Incident Responders and other cool people. I've called this week's article The Gauntlet Edition because a number of organizations have recently thrown down the gauntlet and introduced some cool forensics challenges.Sometimes, the best tool in our arsenal is neither software, nor hardware, nor even our wetware. In many cases, the best tool we can have is a challenge.More than anything else I can think of, it's the process of working a case and rising to a new challenge that really causes us to sharpen our skills. Whether the problem is new to the community, or just new to us, working it through to a solution or an answer is what really causes us to upgrade our wetware.

In that spirit, I've provided a list of recently announced and upcoming challenges, along with our usual assortment of cool tools, good reads and other forensic fun. I encourage you all to pick up The Gauntlet and try your hand at one or more of the challenges listed below.

... Continue reading Digital Forensics Case Leads: The Gauntlet Edition

A Step-by-Step introduction to using the AUTOPSY Forensic Browser

by Craig Wright

This is a brief tutorial on how to use the Autopsy Forensic Browser as a front end for the Sleuthkit. This tool is an essential for Linux forensics investigations and can be used to analyze Windows images.

We will start with the presumption that you have the Forensic Toolkit Installed (whether through the use of a Live CD such as Helix or if it is installed on a Forensic Workstation). Autopsy is built into the SANS Investigative Forensic Toolkit Workstation (SIFT Workstation) that you can download from You can start Autopsy by clicking on the magnifying glass in the upper right corner.

Step 1 - Start the Autopsy