Man page - fiwalk(1)

Packages contains this manual

Package:  sleuthkit
apt-get install sleuthkit

Manuals in package:
• ifind(1)
• fls(1)
• mmls(1)
• blkstat(1)
• blkls(1)
• hfind(1)
• mmstat(1)
• jpeg_extract(1)
• jls(1)
• fsstat(1)
• ffind(1)
• tsk_gettimes(1)
• tsk_comparedir(1)
• sorter(1)
• tsk_recover(1)
• istat(1)
• img_cat(1)
• jcat(1)
• img_stat(1)
• blkcalc(1)
• fiwalk(1)
• srch_strings(1)
• icat(1)
• blkcat(1)
• ils(1)
• mactime(1)
• sigfind(1)
• mmcat(1)
• fcat(1)
• tsk_loaddb(1)
• usnjls(1)
Documentations in package:
• sleuthkit

Manual

FIWALK

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
AUTHOR

---

NAME

fiwalk - print the filesystem statistics and exit

SYNOPSIS

fiwalk [ options ] iso-name

DESCRIPTION

fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.

This application uses SleuthKit to generate a report of all of the files and orphaned inodes found in a disk image. It can optionally compute the MD5 of any objects, save those objects into a directory, or both.

OPTIONS

-c config.txt

read config.txt for metadata extraction tools

-C nn

only process nn files, then do a clean exit

Include/exclude parameters; may be repeated:

-n pattern

only match files for which the filename matches the pattern. Example: -n .jpeg -n .jpg will find all JPEG files. Case is ignored. Will not match orphan files.

Ways to make this program run faster:

	-I		ignore NTFS system files
	-g		just report the file objects - don’t get the data
	-O		only walk allocated files
	-b		do not report byte runs if data not accessed
	-z		do not calculate MD5 or SHA1 values
	-Gnn		Only process the contents of files smaller than nn gigabytes (default 2). Use -G0 to remove space restrictions.

Ways to make this program run slower:

	-M		Report MD5 for each file (default on)
	-1		Report SHA1 for each file (default on)
	-f		Report the output of the ’file’ command for each

Output options : -m = Output in SleuthKit ’Body file’ format

-A<file>

ARFF output to <file>

-X<file>

XML output to a <file> (full DTD)

	-X0		Write output to filename.xml
	-Z		zap (erase) the output file
	-x		XML output to stdout (no DTD)

-T<file>

Walkfile output to <file>

-a <audit.txt>

Read the scalpel audit.txt file

Misc:

	-d		debug this program
	-v		Enable SleuthKit verbose flag

AUTHOR

The Sleuth Kit was written by Brian Carrier <carrier@sleuthkit.org>.

This manual page was written by Joao Eriberto Mota Filho <eriberto@debian.org> for the Debian project (but may be used by others).

---