Archives de catégorie : Forensics

Sleuth Kit Help Page

Image Operations

  • img_stat: gives the type of image and its size in bytes.
  • mmls: displays the partition table.
  • mmstat: information about the partition.

Use the option -t {dos, gpt,bad,mac} with mmls to specify the type of partition table.

Filesystem Operations

  • fsstat: provide filesystem information
  • fls: list file in the filesystem


Use the option -f <fs_type> to specify the type of filesystem. The option -o <size_bytes> tells where the filesystem starts in the image.

CheatSheet on Windows’ Registeries

The present information should be valid for all Windows Operating System. Still It must be confirmed for each version to point out differences.

List of Registery key:

  • SAM: Security Account Manager
  • SECURITY: Contains security information
  • SOFTWARE: Software configuration.
  • SYSTEM: System configuration.
  • HARDWARE: recreated at each start, list of all present hardware.
  • DEFAULT: Default System Information.

Path of system registry files: C\Windows\System32\Config

Current User’s data:

  • Registery key: HKEY_CURRENT_USER
  • Profile file: NTuser.dat

File System Organisation:

Windows registry are contains in registry files, named Hive File. It is a set of file containing the registery data.

The storage of those file changes from different version. The location of the file is stored in HKLM\SYSTEM\CurrentControlSet\Control\hivelist

They are not directly readable by the user through the Operating system.

Some of the present information could be out of date, depending of the version of the operating system. Feel free to send the updates.


The information were extracted from

  • Wikipedia page: Windows_registery