Difference between revisions of "Istat"

From SleuthKitWiki
Jump to: navigation, search
(New page: Version 2.09 Man Page NAME istat - Display details of a meta-data structure (i.e. inode) SYNOPSIS istat [-b num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-vV] [-z zone ...)
 
m (Reformatted)
Line 1: Line 1:
Version 2.09 Man Page
+
Back to [[Help Documents]]
  
NAME
+
==istat==
      istat - Display details of a meta-data structure (i.e. inode)
+
Version 2.09
  
SYNOPSIS
 
      istat [-b num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-vV] [-z zone
 
      ] [-s seconds ] image [images] inode
 
  
DESCRIPTION
+
===Purpose===
      istat displays the uid, gid, mode, size, link number, modified ,
+
Displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.
      accessed, changed times, and all the disk units a structure has allo-
+
      cated.
+
  
      The options are as follows:
 
  
      -b num Display the addresses of num disk units.  Useful when the  inode
+
===Usage===
              is unallocated with size 0, but still has block pointers.
+
istat [-b num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-vV] [-z zone] [-s seconds ] image [images] inode
  
      -f fstype
 
              Specify  the  file system type.  Use the -? option for supported
 
              types.  If not given, the default type for the platform is used.
 
  
      -s seconds
+
===Options===
              The  time  skew of the original system in seconds.  For example,
+
              if the original system was 100 seconds slow, this value would be
+
              -100.
+
  
      -i imgtype
+
{| border="1" cellpadding="5"
              Identify the type of image file, such as raw or split. Raw is
+
!Switch
              the default.
+
!Purpose
 +
|-
 +
| -b num || Display the addresses of num disk units. Useful when the inode is unallocated with size 0, but still has block pointers.
 +
|-
 +
| -f fstype || Specify the file system type. Use the -? option for supported types. If not given, the default type for the platform is used.
 +
|-
 +
| -s seconds || The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100.
 +
|-
 +
| -i imgtype || Identify the type of image file, such as raw or split. Raw is the default.
 +
|-
 +
| -o imgoffset || The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048).
 +
|-
 +
| -v || Verbose output of debugging statements to stderr
 +
|-
 +
| -V || Display version
 +
|-
 +
| -z zone || An ASCII string of the original system’s time zone. For example, EST5EDT or GMT. These strings are defined by the operating system and may vary. NOTE: This has changed since TCTUTILs.
 +
|-
 +
| image [images] || One (or more if split) disk or partition images whose format is given with ’-i’.
 +
|-
 +
| inode || Meta-data number to display stats on
 +
|}
  
      -o imgoffset
 
              The sector offset where the file system  starts  in  the  image.
 
              Non-512 byte sectors can be specified using ’@’ (32@2048).
 
  
      -v    Verbose output of debugging statements to stderr
+
===Example===
 +
''No example available.''
  
      -V    Display version
 
  
      -z zone
+
===History===
              An  ASCII  string of the original system’s time zone. For exam-
+
istat first appeared in TCTUTILs v1.0.
              ple, EST5EDT or GMT.  These strings are defined by the operating
+
              system and may vary.  NOTE: This has changed since TCTUTILs.
+
  
      image [images]
 
              One  (or more if split) disk or partition images whose format is
 
              given with ’-i’.
 
  
      inode  Meta-data number to display stats on
+
===Author===
 
+
Brian Carrier <carrier@sleuthkit.org>
SEE ALSO
+
      dd(1), ils(1)
+
 
+
HISTORY
+
      istat first appeared in TCTUTILs v1.0.
+
 
+
AUTHOR
+
      Brian Carrier <carrier@sleuthkit.org>
+

Revision as of 17:01, 17 November 2007

Back to Help Documents

istat

Version 2.09


Purpose

Displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.


Usage

istat [-b num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-vV] [-z zone] [-s seconds ] image [images] inode


Options

Switch Purpose
-b num Display the addresses of num disk units. Useful when the inode is unallocated with size 0, but still has block pointers.
-f fstype Specify the file system type. Use the -? option for supported types. If not given, the default type for the platform is used.
-s seconds The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100.
-i imgtype Identify the type of image file, such as raw or split. Raw is the default.
-o imgoffset The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048).
-v Verbose output of debugging statements to stderr
-V Display version
-z zone An ASCII string of the original system’s time zone. For example, EST5EDT or GMT. These strings are defined by the operating system and may vary. NOTE: This has changed since TCTUTILs.
image [images] One (or more if split) disk or partition images whose format is given with ’-i’.
inode Meta-data number to display stats on


Example

No example available.


History

istat first appeared in TCTUTILs v1.0.


Author

Brian Carrier <carrier@sleuthkit.org>

Retrieved from "https://wiki.sleuthkit.org/index.php?title=Istat&oldid=113"