Skip to content

Python bindings for The Sleuth Kit (libtsk)

License

Notifications You must be signed in to change notification settings

EccoTheFlintstone/pytsk

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

pytsk is a Python binding for the SleuthKit.

The SleuthKit is a complete filesystem analysis tool. In the past
PyFlag shipped a Python binding for a statically compiled version
which was incorporated in the PyFlag source tree (Version 2.78). That
version is now very old and does not support HFS+ which SleuthKit 3.1
does. At the time there were some important functions that we needed
to link to but the old libtsk (the shared object produced by older
SleuthKit binaries) did not export these - which is the reason for
incorporating a slightly modified version in the source tree.

These days things are much better - libtsk is designed to be a
general purpose library with many useful functions linked in. The
overall architecture has been tremendously improved and it is now very
easy to use it from an external program.

This is a Python binding against the libtsk shared object. Our aim is
to make the binding reflect the TSK API as much as possible in
capabilities, while at the same time having a nice Pythonic OO
interface:

4.2: http://www.sleuthkit.org/sleuthkit/docs/api-docs/4.2/
4.3: http://www.sleuthkit.org/sleuthkit/docs/api-docs/4.3/

The new binding just links to libtsk which should make it easier to
maintain against newer versions. We should be able to rewrite all the
SleuthKit tools in Python (using the library and bindings) as a
demonstration of what is possible with the new bindings. This page
documents how to use the binding from a practical point of view - we
want to show examples of how to do some common tasks. There are lots
of sample programs in the samples directory to demonstrate how these
bindings can be used.

If downloaded pytsk using git you'll have to first run:

python setup.py update

If you want to use a bleeding edge version of sleuthkit, use the --bleedingedge parameter:

python setup.py update --bleedingedge

To build the bindings just use the standard Python distutils method:

python setup.py build
python setup.py install

At the top level of the source tree.

The Python binding is autogenerated from the libtsk header files
using a small OO C shim. This means that most of the fields in many of
the structs are already available. We aim to provide most of the
functionality using this shim (e.g. traversing and iterating over
lists etc). The authoritative source of documentation is the library
API linked above.

About

Python bindings for The Sleuth Kit (libtsk)

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 51.4%
  • C 42.0%
  • C++ 5.8%
  • Other 0.8%