Mac and Sleuthkit

I love using Sleuthkit tools fls and mactime to produce a timeline for file system analysis.  But what if you are not compiler friendly and have a mac as your forensics workstation?  Here is the quick and easy way to get Sleuthkit installed so you can run it against raw disc images.

  1. Get macports from macports.org  It is a simple install from dmg.
  2. Once installed, get a terminal session opened.
  3. execute the command: sudo port -d selfupdate
  4. execute the command: sudo port install sleuthkit

It will take a while for sleuthkit and all the dependancies to install.  Once done you should be able to do “man fls” and “man mactime” to see the manual pages for the tools and start using them.

Share
  • Great addition! I like to take it once step farther to make it easier. Use Porticus and give yourself a GUI to do the MacPorts install from!

    Ryan

    http://www.macosxforensics.com

  • Jimmy

    I was actually looking to install sleuthkit on mac, but the macports version seems outdated. Its sleuthkit version 2.09, currently sleuthkit is at 3.01.

  • Yeah it is very typical for ports or things in repositories even in linux for apt-get or other package managers to be a little behind. Sometimes a LOT behind. In those cases you need to build it yourself by downloading the source. This post was really about just getting it up and running quickly to start learning the tools in general.

  • Yeah it is very typical for ports or things in repositories even in linux for apt-get or other package managers to be a little behind. Sometimes a LOT behind. In those cases you need to build it yourself by downloading the source. This post was really about just getting it up and running quickly to start learning the tools in general.