Scroll to navigation

FIWALK(1) Print the file system statistics and exit FIWALK(1)

NAME

fiwalk - print the filesystem statistics and exit

SYNOPSIS



 fiwalk [options] iso-name

DESCRIPTION

fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.

This application uses SleuthKit to generate a report of all of the files and orphaned inodes found in a disk image. It can optionally compute the MD5 of any objects, save those objects into a directory, or both.

OPTIONS

read config.txt for metadata extraction tools
only process nn files, then do a clean exit

Include/exclude parameters; may be repeated:

only match files for which the filename matches the pattern. Example: -n .jpeg -n .jpg will find all JPEG files. Case is ignored. Will not match orphan files.

Ways to make this program run faster:

ignore NTFS system files
just report the file objects - don't get the data
only walk allocated files
do not report byte runs if data not accessed
do not calculate MD5 or SHA1 values
Only process the contents of files smaller than nn gigabytes (default 2). Use -G0 to remove space restrictions.

Ways to make this program run slower:

Report MD5 for each file (default on)
-1
Report SHA1 for each file (default on)
Report the output of the 'file' command for each

Output options: -m = Output in SleuthKit 'Body file' format

ARFF output to <file>
XML output to a <file> (full DTD)
Write output to filename.xml
zap (erase) the output file
XML output to stdout (no DTD)
Walkfile output to <file>
Read the scalpel audit.txt file

Misc:

debug this program
Enable SleuthKit verbose flag

AUTHOR

The Sleuth Kit was written by Brian Carrier <carrier@sleuthkit.org>.

This manual page was written by Joao Eriberto Mota Filho <eriberto@debian.org> for the Debian project (but may be used by others).

Dec 2013 FIWALK