sigfind

tools for forensics analysis on volume and filesystem data

Install

All systems
curl cmd.cat/sigfind.sh
Debian Debian
apt-get install sleuthkit
Ubuntu
apt-get install sleuthkit
Alpine
apk add sleuthkit
Arch Arch Linux
pacman -S sleuthkit
image/svg+xml Kali Linux
apt-get install sleuthkit
Fedora
dnf install sleuthkit
Windows (WSL2)
sudo apt-get update sudo apt-get install sleuthkit
OS X
brew install sleuthkit
Raspbian
apt-get install sleuthkit
Docker
docker run cmd.cat/sigfind sigfind powered by Commando

sleuthkit

tools for forensics analysis on volume and filesystem data

The Sleuth Kit, also known as TSK, is a collection of UNIX-based command line file and volume system forensic analysis tools. The filesystem tools allow you to examine filesystems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the filesystems, deleted and hidden content is shown. The volume system (media management) tools allow you to examine the layout of disks and other media. You can also recover deleted files, get information stored in slack spaces, examine filesystems journal, see partitions layout on disks or images etc. But is very important clarify that the TSK acts over the current filesystem only. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks. With these tools, you can identify where partitions are located and extract them so that they can be analyzed with filesystem analysis tools. Currently, TSK supports several filesystems, as NTFS, FAT, exFAT, HFS+, Ext3, Ext4, UFS and YAFFS2. This package contains the set of command line tools in The Sleuth Kit.

libtsk3-3-dbg

library for forensics analysis (debug symbols)