File Metadata – Security Slice

Description

Display general details of a file system.

Platform	Windows and Linux
Author	Brian Carrier
License	Common Public License 1.0
URL	https://www.sleuthkit.org/

Usage

usage: fsstat [-tvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image
    -t: display type only
    -i imgtype: The format of the image file (use '-i list' for supported types)
    -b dev_sector_size: The size (in bytes) of the device sectors
    -f fstype: File system type (use '-f list' for supported types)
    -o imgoffset: The offset of the file system in the image (in sectors)
    -v: verbose output to stderr
    -V: Print version

Examples

fsstat <disk image>

This is the default output from a disk image:

root@siftworkstation:/mnt/romanoff# fsstat win7-32-nromanoff-c-drive.E01
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 2EAC03A3AC036525
OEM Name: NTFS   
Version: Windows XP
 
METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 2
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 115968
Root Directory: 5
 
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 6488830
Total Sector Range: 0 - 51910654
 
$AttrDef Attribute Values:
$STANDARD_INFORMATION (16)   Size: 48-72   Flags: Resident
$ATTRIBUTE_LIST (32)   Size: No Limit   Flags: Non-resident
$FILE_NAME (48)   Size: 68-578   Flags: Resident,Index
$OBJECT_ID (64)   Size: 0-256   Flags: Resident
$SECURITY_DESCRIPTOR (80)   Size: No Limit   Flags: Non-resident
$VOLUME_NAME (96)   Size: 2-256   Flags: Resident
$VOLUME_INFORMATION (112)   Size: 12-12   Flags: Resident
$DATA (128)   Size: No Limit   Flags:
$INDEX_ROOT (144)   Size: No Limit   Flags: Resident
$INDEX_ALLOCATION (160)   Size: No Limit   Flags: Non-resident
$BITMAP (176)   Size: No Limit   Flags: Non-resident
$REPARSE_POINT (192)   Size: 0-16384   Flags: Non-resident
$EA_INFORMATION (208)   Size: 8-8   Flags: Resident
$EA (224)   Size: 0-65536   Flags:
$LOGGED_UTILITY_STREAM (256)   Size: 0-65536   Flags: Non-resident

Blog Posts

exiftool [OPTIONS] [-TAG...] [--TAG...] FILE... exiftool [OPTIONS] -TAG[+-<]=[VALUE]... FILE... exiftool [OPTIONS] -tagsFromFile SRCFILE [-SRCTAG[>DSTTAG]...] FILE... exiftool [ -ver | -list[w|f|r|wf|g[NUM]|d|x] ]

root@siftworkstation:/mnt/romanoff# exiftool "./Users/nromanoff/Documents/Ninja Files/PPT/StickNinja.ppt" ExifTool Version Number : 9.46 File Name : StickNinja.ppt Directory : ./Users/nromanoff/Documents/Ninja Files/PPT File Size : 2.2 MB File Modification Date/Time : 2012:03:16 21:42:18+00:00 File Access Date/Time : 2012:03:16 21:42:11+00:00 File Inode Change Date/Time : 2012:04:04 15:21:06+00:00 File Permissions : rwxrwxrwx File Type : PPT MIME Type : application/vnd.ms-powerpoint Current User : Magy Seif El-Nasr Title : Stick Ninja. Subject : Author : Keywords : Comments : Last Modified By : Cody Sawatsky Revision Number : 1 Total Edit Time : 8.0 minutes Modify Date : 2007:09:16 23:10:29 Pages : 0 Words : 510 Characters : 0 Code Page : Unicode (UTF-8) Presentation Target : Custom Bytes : 301358 Lines : 0 Paragraphs : 75 Slides : 16 Notes : 16 Hidden Slides : 0 MM Clips : 0 App Version : 11.0512 Scale Crop : No Links Up To Date : No Shared Doc : No Hyperlinks Changed : No Title Of Parts : Helvetica Neue Light, ヒラギノ角ゴ Pro W3, Helvetica Neue, Title & Subtitle, Stick Ninja., Overview., Overview., User Description., Description of Gameplay Mechanics, Storyboard., Prototype., Features + Functionality., Justifications for Design., Justifications for Design., User Testing., Shortcomings of Design., Possibilities for expansion., Next Steps., Summary., PowerPoint Presentation Heading Pairs : Fonts Used, 3, Design Template, 1, Slide Titles, 16

Tag: File Metadata