WEBVTT 0:00:09.400000 --> 0:00:16.560000 The Sleuth Kit is going to be a series of tools that we have out there 0:00:16.560000 --> 0:00:20.520000 that are free and they're open source. 0:00:20.520000 --> 0:00:26.920000 They've been written by a very dedicated member of the community for decades. 0:00:26.920000 --> 0:00:30.400000 It's a great resource to have up your sleeve. 0:00:30.400000 --> 0:00:34.400000 And while commercial forensic software can accomplish many of your tasks, 0:00:34.400000 --> 0:00:39.020000 what you're going to find is that the Sleuth Kit has extensive applicability 0:00:39.020000 --> 0:00:42.460000 and it can sometimes be easier to adapt to your own needs. 0:00:42.460000 --> 0:00:47.020000 And there's several forensic tools and forensic software out there that 0:00:47.020000 --> 0:00:51.180000 actually use the Sleuth Kit to accomplish some goals for you. 0:00:51.180000 --> 0:00:55.840000 So while you might be using a GUI from somebody that you bought software 0:00:55.840000 --> 0:00:59.960000 from in the background, sometimes it's just running the Sleuth Kit. 0:00:59.960000 --> 0:01:06.500000 What we have are a series of minimum of 25 CLI tools. 0:01:06.500000 --> 0:01:09.820000 Now what is CLI? 0:01:09.820000 --> 0:01:18.080000 Take a second, think about what CLI is. 0:01:18.080000 --> 0:01:22.280000 CLI stands for the Command Line Interface. 0:01:22.280000 --> 0:01:28.300000 And you're going to need to be familiar with the Windows or Linux Command 0:01:28.300000 --> 0:01:34.200000 Line Interface in order to really effectively use the Sleuth Kit. 0:01:34.200000 --> 0:01:39.860000 So looking at some of the tools we can do with the Sleuth Kit, these are 0:01:39.860000 --> 0:01:44.160000 all going to be every bullet point here is going to represent, and then 0:01:44.160000 --> 0:01:47.360000 every keyword in here you see is going to represent some type of command 0:01:47.360000 --> 0:01:54.100000 line tool. For example, media or volume, we have MMLS, MMM stat and MMCAT. 0:01:54.100000 --> 0:02:01.300000 These are all single line commands that you would run to accomplish a 0:02:01.300000 --> 0:02:13.180000 specific task. Think about when you have used a lot of DOS or CMD or PowerShell 0:02:13.180000 --> 0:02:18.620000 or even Linux bash commands or commands from this single environment. 0:02:18.620000 --> 0:02:24.000000 They're usually utilized to have some type of memorable naming convention. 0:02:24.000000 --> 0:02:28.260000 And if we think about it, let's start with FS, right? 0:02:28.260000 --> 0:02:32.520000 MMM stands for Media and J stands for Journal. 0:02:32.520000 --> 0:02:36.040000 After that, you'll start seeing those familiar items like LS, CAT and 0:02:36.040000 --> 0:02:40.360000 STAT. This is what kind of helps our brain keep track of what's going 0:02:40.360000 --> 0:02:42.820000 on with some of these tools that you just saw.