Usage: fcat file_path image įinds the name of the file or directory using a given inode :~# ffind -h Output the contents of a file based on its name. s: print slack space only (other flags are ignoredĭisplay details of a file system data unit (i.e. l: print details in time machine list format e: every block (including file system metadata blocks) is the number of data units to display (default is 1) u usize: size of each data unit in image (for raw, blkls, swap) s: display basic block stats such as unit size, fragments, etc. f fstype: File system type (use '-f list' for supported types) P pooltype: Pool container type (use '-p list' for supported types) B pool_volume_block: Starting block (for pool volumes only)ĭisplay the contents of file system data unit in a disk image. P pooltype: Pool container type (use '-P list' for supported types) o imgoffset: The offset of the file system in the image (in sectors) b dev_sector_size: The size (in bytes) of the device sectors i imgtype: The format of the image file (use '-i list' for supported types) f fstype: The file system type (use '-f list' for supported types) u: The given address is from a 'blkls' (unallocated) image s: The given address is from a 'blkls -s' (slack) image d: The given address is from a 'dd' image Slowly calculates the opposite block number How to install: sudo apt install sleuthkit Dependencies:Ĭonverts between unallocated disk unit numbers and regular disk unit numbers. This package contains the set of command line tools in The Sleuth Kit. How to install: sudo apt install libtsk19 Dependencies: This package contains the library which can be used to implement all of theįunctionality of the command line tools into an application that needs to How to install: sudo apt install libtsk-dev Dependencies: This package contains header files and static version of the library. They can be analyzed with filesystem analysis tools.Ĭurrently, TSK supports several filesystems, as NTFS, FAT, exFAT, HFS+, Ext3,
Tools, you can identify where partitions are located and extract them so that Partitions, Sun slices (Volume Table of Contents), and GPT disks. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac But is very important clarify that the TSK acts over the Stored in slack spaces, examine filesystems journal, see partitions layout onĭisks or images etc. You can also recover deleted files, get information The volume system (media management) tools allow you to examine the layout ofĭisks and other media. Because the tools do not rely on the operating system to process theįilesystems, deleted and hidden content is shown. The filesystem toolsĪllow you to examine filesystems of a suspect computer in a non-intrusiveįashion. Line file and volume system forensic analysis tools. The Sleuth Kit, also known as TSK, is a collection of UNIX-based command
0 kommentar(er)
