A module that allows you to investigate disk images using Javascript by using The Sleuth Kit as library.
npm install tsk-jsTSK-js
=======================
A module that allows you to investigate disk images using Javascript by using
The Sleuth Kit
as library.
Its main functionalities are image analysis (mmls), list allocated and deleted
files inside a directory or file system (fls), extract files (icat), generate
timelines (mactime) and look up strings inside the image (grep).
Some of those functionalities are based on
tools
offered by The Sleuth Kit.
You can install it just using the command:
``bash`
$ npm install tsk-js --save
This is an example of a script that performs a brief analysis. To learn how to
use it in more detail go to
User guide
section.
[//]: # (TODO: Provide the image to execute this example)
`javascript
const { TSK } = require("tsk-js");
analyzeImage("hdd-001.dd")
////
function searchRecursive(needle, img, imgaddr, inode, cb) {
// Retrieve files in current folder
const files = img.list({ imgaddr, inode });
// Process
files
.filter((f) => f.name === needle)
.forEach((f) => cb(f));
files
.filter((f) => f.type === "directory")
.forEach((f) => searchRecursive(needle, img, imgaddr, f.inode, cb));
}
function analyzePartition(img, imgaddr) {
// Search file
searchRecursive("carta.txt", img, imgaddr, undefined, (file) => {
const { inode } = file;
const buff = img.get({ imgaddr, inode });
console.log("File found!");
console.log("Print it's content:");
console.log("---------------------------");
console.log(buff.toString());
console.log("---------------------------");
});
// Generate timeline
const timeline = img.timeline(() => {}, { imgaddr });
console.log(timeline.length);
}
function analyzeDisk(img, res) {
res.partitions
.filter((p) => p.hasFs)
.forEach((p) => analyzePartition(img, p.start));
}
function analyzeImage(imgfile) {
const img = new TSK("hdd-001.dd");
const res = img.analyze();
if (res.type === "disk") {
analyzeDisk(img, res);
} else {
analyzePartition(img, 0);
}
}
``