The @stake Sleuth Kit (TASK) contains some changes from The Coroner's Toolkit (TCT) and TCTUTILs. Some changes exist because of a new naming convention. To make it easier to remember which tools do what, a layered model was used. Each tool corresponds to either the file system, data, inode, or file name layer. All tools in a given layer begin with the same letters (fs, d, i, f) and end with 'ls' for listing tools, 'stat' for status tools, 'find' for mapping tools, or 'cat' for display tools. The most major renaming is from 'unrm' to 'dls'. All Tools: -f: The '-f' flag specifies the file system type. In TCT and TCTUTILs this flag existed, but did not do anything. Well, it now does. Currently, the following values are supported: bsdi (BSDi FFS) fat (auto-detect FAT) fat12 (FAT12) fat16 (FAT16) fat32 (FAT32) freebsd (FreeBSD FFS) linux-ext2 (both 2.2+ structures and pre 2.2 kernel EXT2FS) ntfs openbsd (OpenBSD FFS) solaris (Solaris FFS) -V: The '-V' flag displays the version of the tool being used. In TCT, this produced verbose output to stdout. The '-v' flag still exists to print verbose output to stderr. fls & istat: -z: The 'fls' and 'istat' programs in TCTUTILs took an integer argument with the '-z' flag to specify how many hours difference there were between the original compromise site and the analysis site. This can get messy due to day light savings, so the argument is now the string that the operating system uses for time zones (EST5EDT for example). fls: -F: The 'fls' program in TCTUTILs used to have a '-f' argument to specify that only files should be displayed. This conflicts with the '-f' flag for file system type, so it has been changed to '-F'. -m: The 'fls' program in TCTUTILs used to only print the status of deleted files when using the '-m' option. It now prints whatever is described by the other flags. So, with no other options it displays all allocated and deleted files and directories within the specified directory. Or for the previous behavior, use the '-m', '-r', and '-d' flags. ils: -m: The '-m' flag was added to produce output in the 'mactime' format. This replaces the need of the extras/ils2mac script in TCT. unrm: Is now called dls as it lists the contents of the data layer. -l: This flag was added to list the details about each addressable unit in time machine format. mactime: This version of mactime is heavily based on mac_daddy from Rob Lee (incident-response.org). There are several differences than the one from TCT: - If password and group files are not given, the Id is displayed (not the local names). - Body file can also be given via STDIN instead of only '-b' (useful for using pipes). - There are no gathering options. All input data must be gathered by using 'fls' and 'ils' in TASK, 'mac-robber' stand-alone tool (on www.atstake.com/research/tools), or grave-robber in TCT. - The output format also includes a column for the inode value. This makes it easier to identify the 'fls' entries for deleted files. - The '-z' argument specifies the time zone that the data is from. This name of this value is system dependent, but a listing can usually be found in /usr/share/zoneinfo. find_file: find_file now called ffind as it finds items in the file naming layer. find_inode: find_inode is now called ifind as it finds items in the inode / meta layer. block_calc: block_calc is now called dcalc. fsstat: fsstat is a new tool that displays the details about a file system. dstat: dstat is a new tool that displays the details about a given data unit. Brian Carrier March 2002