Security Slice

istat

istat

Description

Displays details of a meta-data structure (inode or MFT).

PlatformLinux and Windows
AuthorBrian Carrier
LicenseCommon Public License 1.0
URLhttp://sleuthkit.org

Usage

usage: istat [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-vV] image inum
    -B num: force the display of NUM address of block pointers
    -z zone: time zone of original machine (i.e. EST5EDT or GMT)
    -s seconds: Time skew of original machine (in seconds)
    -i imgtype: The format of the image file (use '-i list' for supported types)
    -b dev_sector_size: The size (in bytes) of the device sectors
    -f fstype: File system type (use '-f list' for supported types)
    -o imgoffset: The offset of the file system in the image (in sectors)
    -v: verbose output to stderr
    -V: print version

Examples

 istat <disk image> <entry number>

This example parses the $MFT in the provided image and displays data associated with entry number 48869:

root@siftworkstation:/home/sansforensics/netwars# istat ./romanoff/win7-32-nromanoff-c-drive.E01 48869
MFT Entry Header Values:
Entry: 48869        Sequence: 2
$LogFile Sequence Number: 8642056225
Allocated File
Links: 2
 
$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1723  (S-1-5-21-2036804247-3058324640-2116585241-1109)
Last User Journal Update Sequence Number: 1919383144
Created:        2011-08-28 22:33:18.571266300 (UTC)
File Modified:  2011-08-28 22:35:24.545830100 (UTC)
MFT Modified:   2012-04-04 15:21:06.753530300 (UTC)
Accessed:       2011-08-28 22:33:18.571266300 (UTC)
 
$FILE_NAME Attribute Values:
Flags: Archive
Name: adberdr813.exe
Parent MFT Entry: 42171         Sequence: 2
Allocated Size: 21807104        Actual Size: 21806256
Created:        2011-08-28 22:33:18.571266300 (UTC)
File Modified:  2011-08-28 22:33:28.007175500 (UTC)
MFT Modified:   2011-08-28 22:33:28.034520300 (UTC)
Accessed:       2011-08-28 22:33:18.571266300 (UTC)
 
Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-7)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-6)   Name: N/A   Resident   size: 94
Type: $DATA (128-4)   Name: N/A   Non-Resident   size: 21806256  init_size: 21806256
467370 467371 467372 467373 467374 467375 467376 467377
467378 467379 467380 467381 467382 467383 467384 467385
...
472690 472691 472692 472693
Type: $DATA (128-5)   Name: Zone.Identifier   Resident   size: 26

Blog Posts