Istat
From SleuthKitWiki
Version 2.09 Man Page
NAME
istat - Display details of a meta-data structure (i.e. inode)
SYNOPSIS
istat [-b num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-vV] [-z zone
] [-s seconds ] image [images] inode
DESCRIPTION
istat displays the uid, gid, mode, size, link number, modified ,
accessed, changed times, and all the disk units a structure has allo-
cated.
The options are as follows:
-b num Display the addresses of num disk units. Useful when the inode
is unallocated with size 0, but still has block pointers.
-f fstype
Specify the file system type. Use the -? option for supported
types. If not given, the default type for the platform is used.
-s seconds
The time skew of the original system in seconds. For example,
if the original system was 100 seconds slow, this value would be
-100.
-i imgtype
Identify the type of image file, such as raw or split. Raw is
the default.
-o imgoffset
The sector offset where the file system starts in the image.
Non-512 byte sectors can be specified using ’@’ (32@2048).
-v Verbose output of debugging statements to stderr
-V Display version
-z zone
An ASCII string of the original system’s time zone. For exam-
ple, EST5EDT or GMT. These strings are defined by the operating
system and may vary. NOTE: This has changed since TCTUTILs.
image [images]
One (or more if split) disk or partition images whose format is
given with ’-i’.
inode Meta-data number to display stats on
SEE ALSO
dd(1), ils(1)
HISTORY
istat first appeared in TCTUTILs v1.0.
AUTHOR
Brian Carrier <carrier@sleuthkit.org>
