From SleuthKitWiki
Revision as of 16:01, 17 November 2007 by Dhawkins (Talk | contribs)

Jump to: navigation, search

Back to Help Documents


Version 2.09


Displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.


istat [-b num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-vV] [-z zone] [-s seconds ] image [images] inode


Switch Purpose
-b num Display the addresses of num disk units. Useful when the inode is unallocated with size 0, but still has block pointers.
-f fstype Specify the file system type. Use the -? option for supported types. If not given, the default type for the platform is used.
-s seconds The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100.
-i imgtype Identify the type of image file, such as raw or split. Raw is the default.
-o imgoffset The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048).
-v Verbose output of debugging statements to stderr
-V Display version
-z zone An ASCII string of the original system’s time zone. For example, EST5EDT or GMT. These strings are defined by the operating system and may vary. NOTE: This has changed since TCTUTILs.
image [images] One (or more if split) disk or partition images whose format is given with ’-i’.
inode Meta-data number to display stats on


No example available.


istat first appeared in TCTUTILs v1.0.


Brian Carrier <>