File System & Carving (The Sleuth Kit / EWF Tools)
CommunityVerify, mount, and carve evidence from disk images.
System Documentation
What problem does it solve?
It solves the problem of extracting files, deleted artifacts, and filesystem timelines from E01/EWF disk images while preserving evidence integrity and using consistent forensic workflows.
Core Features & Use Cases
- Image verification and integrity checks: Use EWF tools to confirm image metadata and ensure hashes verify before analysis begins.
- Read-only mounting and filesystem inspection: Mount E01 images read-only, inspect sector/partition layout, and gather filesystem metadata.
- TSK-based navigation, extraction, and carving: Enumerate inodes and deleted entries, extract file contents by inode/MFT, and recover allocated/unallocated artifacts; generate bodyfile timelines and carve with bulk extraction or signature-based tools.
Use case: When investigating a suspected Windows compromise from an E01 acquisition, verify the image, map partitions, enumerate and extract key artifacts (MFT, UsnJrnl, prefetch, event logs), recover deleted files, and produce a UTC filesystem timeline for analysis.
Quick Start
Run the sleuthkit workflow for a case by verifying the E01 hashes, mounting the image read-only, then list and extract relevant inodes and carve targeted artifacts from allocated and unallocated space as needed.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: File System & Carving (The Sleuth Kit / EWF Tools) Download link: https://github.com/rjonhaas/SIFTics/archive/main.zip#file-system-carving-the-sleuth-kit-ewf-tools Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.