I would like to contribute sleuthkit. Also present in Debian, Fedora,
Ubuntu, ...
SUMMARY="Tools for analysis of volume and filesystem data"
DESCRIPTION="The Sleuth Kit (TSK) is a collection of command line tools
for disk images. It allows to analyze volume and filesystem data,
examine disk layout, recover deleted files, etc. Many partition and
filesystem formats are supported."
libtsk_SUMMARY="${SUMMARY} (runtime)"
libtsk_devel_SUMMARY="${SUMMARY} (development)"
I'm not sure about the LICENSE string:
LICENSE="CPL-1.0 AND GPL-2.0-or-later"
The license/README.md file mentions a bunch of licenses, see comment in
cygport file. CPL-1.0 is the main license, one separate tool uses
GPL-2.0-or-later.
The source package supports reproducible builds except for libtsk-devel
(timestamps in *.a files).
Abbreviated list of files:
sleuthkit-4.12.1-1.tar.xz:
usr/bin/blkcalc.exe
usr/bin/blkcat.exe
usr/bin/blkls.exe
usr/bin/blkstat.exe
usr/bin/fcat.exe
usr/bin/ffind.exe
usr/bin/fiwalk.exe
usr/bin/fls.exe
usr/bin/fsstat.exe
usr/bin/hfind.exe
usr/bin/icat.exe
usr/bin/ifind.exe
usr/bin/ils.exe
usr/bin/img_cat.exe
usr/bin/img_stat.exe
usr/bin/istat.exe
usr/bin/jcat.exe
usr/bin/jls.exe
usr/bin/jpeg_extract.exe
usr/bin/mactime
usr/bin/mmcat.exe
usr/bin/mmls.exe
usr/bin/mmstat.exe
usr/bin/pstat.exe
usr/bin/sigfind.exe
usr/bin/sorter
usr/bin/srch_strings.exe
usr/bin/tsk_comparedir.exe
usr/bin/tsk_gettimes.exe
usr/bin/tsk_imageinfo.exe
usr/bin/tsk_loaddb.exe
usr/bin/tsk_recover.exe
usr/bin/usnjls.exe
usr/share/doc/sleuthkit/*
usr/share/man/man1/*
usr/share/tsk/sorter/*.sort
libtsk-4.12.1-1.tar.xz:
usr/bin/cygtsk-19.dll
libtsk-devel-4.12.1-1.tar.xz:
usr/include/tsk/*
usr/lib/libtsk.a
usr/lib/libtsk.dll.a
usr/lib/pkgconfig/tsk.pc
usr/share/doc/sleuthkit/samples/*.cpp
Real world use case: Check whether the SSD TRIM command actually works:
$ # Create a test file (> ~3*256B to prevent resident file)
$ printf 'Line %s\n' {0001..0100} > trim_check
$ # Get full path of file
$ cygpath -am trim_check
D:/tmp/trim_check
$ # Find raw device of partition
$ grep D: /proc/partitions # or: ls -l /dev/disk/by-drive/d
8 20 629145944 sdb4 D:\
$ # Find inode (here: $MFT index) of file
$ ifind -n /tmp/trim_check /dev/sdb4
339065
$ # Find cluster(s) used by inode
$ istat /dev/sdb4 339065
...
Name: TRIM_C~1
...
Name: trim_check
...
Type: $DATA (128-4) Name: N/A Non-Resident size: 1000 init_size: 1000
7876740
$ # Read cluster (assumes 4KiB cluster size, could be checked with fsstat)
$ dd if=/dev/sdb4 bs=4096 count=1 skip=7876740 iflag=direct status=none
| cat -A
Line 0001$
Line 0002$
...
$ # Remove file, flush buffers and wait
$ rm trim_check; sync; sleep 10
$ # Re-read cluster
$ dd if=/dev/sdb4 bs=4096 count=1 skip=7876740 iflag=direct status=none | od
000 00 00 00 00 00 00 00 00
*
001
$ echo "TRIM works!"
TRIM works!
--
Regards,
Christian
# cygport script for sleuthkit
NAME=sleuthkit
VERSION=4.12.1
RELEASE=1
SOURCE_DATE="2024-03-02 11:00:00 UTC"
SUMMARY="Tools for analysis of volume and filesystem data"
DESCRIPTION="The Sleuth Kit (TSK) is a collection of command line tools
for disk images. It allows to analyze volume and filesystem data,
examine disk layout, recover deleted files, etc. Many partition and
filesystem formats are supported."
LICENSE="CPL-1.0 AND GPL-2.0-or-later"
# Licenses mentioned in licenses/README.md:
# Apache-2.0 # case-uco/*, win32/rejistry++/* (code not used)
# BSD-3-Clause # samples/*, tsk/fs/lzvn.c
# CPL-1.0# The Sleuth Kit (TSK) license
# GPL-2.0-or-later # tools/srchtools/srch_strings.c
# GPL-3.0-or-later # m4/ax_pthread.m4 (... WITH Autoconf-exception-3.0)
# IPL-1.0# The Coroner's Toolkit (TCT) license
# ISC# tools/fiwalk/src/base64.*
# "public domain"# tools/fiwalk/*, tsk/base/sha1.c
# MIT# tsk/auto/guid.cpp
# RSA-MD # tsk/base/md5c.c
# "Unicode" # tsk/base/tsk_unicode.*
CATEGORY="Utils"
PKG_NAMES="sleuthkit libtsk libtsk-devel"
REQUIRES="" # libgcc1 libstdc++6 libtsk perl-DateTime-TimeZone perl_base
libtsk_REQUIRES="" # libgcc1 libsqlite3_0 libstdc++6 zlib0
libtsk_devel_REQUIRES="" # libtsk pkg-config
BUILD_REQUIRES="
binutils cygwin-devel gcc-g++ gzip libsqlite3-devel perl_base zlib-devel
" # make
HOMEPAGE="https://www.sleuthkit.org/sleuthkit/";
SRC_URI="https://github.com/sleuthkit/sleuthkit/releases/download/${P}/${P}.tar.gz";
libtsk_SUMMARY="${SUMMARY} (runtime)"
libtsk_DESCRIPTION="${DESCRIPTION}
This package contains the runtime library for sleuthkit."
libtsk_devel_SUMMARY="${SUMMARY} (development)"
libtsk_devel_DESCRIPTION="${DESCRIPTION}
This package contains the development files for libtsk."
sleuthkit_CONTENTS="
--exclude=usr/bin/cygtsk-*.dll
--exclude=usr/share/doc/${PN}/samples
usr/bin
usr/share
"
libtsk_CONTENTS="
usr/bin/cyg