Free sleuth software for mac

The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools.
The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.
The volume system (media management) tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks.
With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.
When performing a complete analysis of a system, we all know that command line tools can become tedious. The Autopsy Forensic Browser is a graphical interface to the tools in The Sleuth Kit, which allows you to more easily conduct an investigation.
Autopsy provides case management, image integrity, keyword searching, and other automated operations.
The tools run on Mac OS X, FreeBSD, OpenBSD, Linux, and Solaris and can analyze FAT, NTFS, UFS, EXT2FS, and EXT3FS.
NOTE: The Sleuth Kit is released under the Common Public and IBM Public Licenses.

Main features:
- Analyzes raw (i.e. dd), Expert Witness (i.e. EnCase) and AFF file system and disk images. (Sleuth Kit Informer #11)
- Supports the NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660 file systems (even when the host operating system does not or has a different endian ordering).
- Tools can be run on a live UNIX system during Incident Response. These tools will show files that have been "hidden" by rootkits and will not modify the A-Time of files that are viewed. (Sleuth Kit Informer #13)
- List allocated and deleted ASCII and Unicode file names. (Sleuth Kit Informer #14 (FAT Recovery), #16 (NTFS Orphan Files))
- Display the details and contents of all NTFS attributes (including all Alternate Data Streams).
- Display file system and meta-data structure details.
- Create time lines of file activity, which can be imported into a spread sheet to create graphs and reports. (Sleuth Kit Informer #5)
- Lookup file hashes in a hash database, such as the NIST NSRL, Hash Keeper, and custom databases that have been created with the md5sum tool. (Sleuth Kit Informer #6, Sleuth Kit Informer #7)
- Organize files based on their type (for example all executables, jpegs, and documents are separated). Pages of thumbnails can be made of graphic images for quick analysis. (Sleuth Kit Informer #3, #4, #5)

Enhancements
- Bug Fix: Fixed crashing bug in ifind on FAT file system. Bug: 2265927
- Bug Fix: Fixed crashing bug in istat on ExtX $OrphanFiles dir. Bug: 2266104
- Update: Updated fls man page.
- Update: Removed TODO file and using tracker for bugs and feature requests.
- Bug Fix: Fixed incorrectly setting block status in file_walk for compressed files (Bug: 2475246)
- Bug Fix: removed fs_info field from FS_META because it was not being set and should have been removed in 3.0. Reported by Rob Joyce and Judson Powers.
- Bug Fix: orphan files and NTFS files found via parent directory have an unknown file name type (instead of being equal to meta type). (Bug: 2389901). Reported by Barry Grundy.
- Bug Fix: Fixed ISO9660 bug where large directory contents were not displayed. (Bug: 2503552). Reported by Tom Black.
- Bug Fix: Fixed bug 2534449 where extra NTFS files were shown if the MFT address was changed to 0 because fs_dir_add was checking the address and name. Reported by Andy Bontoft.
- Update: Fixed fix for bug 2534449. The fix is in ifind instead of fs_dir_add().
- Update: Added RPM spec file from Morgan Weetmam.