Table of Contents
istat - Display details of a meta-data structure (i.e. inode)
istat
[-b num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-vV] [-z zone ] [-s seconds
] image [images] inode
istat displays the uid, gid, mode, size,
link number, modified , accessed, changed times, and all the disk units
a structure has allocated.
The options are as follows:
- -b num
- Display the
addresses of num disk units. Useful when the inode is unallocated with
size 0, but still has block pointers.
- -f fstype
- Specify the file system type.
Use ’-f list’ to list the supported file system types. If not given, autodetection
methods are used.
- -s seconds
- The time skew of the original system in seconds.
For example, if the original system was 100 seconds slow, this value would
be -100.
- -i imgtype
- Identify the type of image file, such as raw or split.
Use ’-i list’ to list the supported types. If not given, autodetection methods
are used.
- -o imgoffset
- The sector offset where the file system starts in the
image. Non-512 byte sectors can be specified using ’@’ (32@2048).
- -v
- Verbose
output of debugging statements to stderr
- -V
- Display version
- -z zone
- An ASCII
string of the original system’s time zone. For example, EST5EDT or GMT.
These strings are defined by the operating system and may vary. NOTE: This
has changed since TCTUTILs.
- image [images]
- One (or more if split) disk
or partition images whose format is given with ’-i’.
- inode
- Meta-data number to
display stats on
Brian Carrier <carrier at sleuthkit dot org>
Table of Contents