.TH FIWALK "1" "Dec 2013" "FIWALK" "Print the file system statistics and exit" .\" Text automatically generated by txt2man .SH NAME \fBfiwalk \fP- print the filesystem statistics and exit .SH SYNOPSIS .nf .fam C \fBfiwalk\fP [\fIoptions\fP] \fIiso-name\fP .fam T .fi .fam T .fi .SH DESCRIPTION \fBfiwalk\fP is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. .PP This application uses SleuthKit to generate a report of all of the files and orphaned inodes found in a disk image. It can optionally compute the MD5 of any objects, save those objects into a directory, or both. .SH OPTIONS .TP .B \fB-c\fP config.txt read config.txt for metadata extraction tools .TP .B \fB-C\fP nn only process nn files, then do a clean exit .RE .PP Include/exclude parameters; may be repeated: .RS .TP .B \fB-n\fP pattern only match files for which the filename matches the pattern. Example: \fB-n\fP .jpeg \fB-n\fP .jpg will find all JPEG files. Case is ignored. Will not match orphan files. .RE .PP Ways to make this program run faster: .RS .TP .B \fB-I\fP ignore NTFS system files .TP .B \fB-g\fP just report the file objects - don't get the data .TP .B \fB-O\fP only walk allocated files .TP .B \fB-b\fP do not report byte runs if data not accessed .TP .B \fB-z\fP do not calculate MD5 or SHA1 values .TP .B \fB-Gnn\fP Only process the contents of files smaller than nn gigabytes (default 2). Use \fB-G0\fP to remove space restrictions. .RE .PP Ways to make this program run slower: .RS .TP .B \fB-M\fP Report MD5 for each file (default on) .TP .B \fB-1\fP Report SHA1 for each file (default on) .TP .B \fB-f\fP Report the output of the 'file' command for each .RE .PP Output \fIoptions\fP: \fB-m\fP = Output in SleuthKit 'Body file' format .RS .TP .B \fB-A\fP ARFF output to .TP .B \fB-X\fP XML output to a (full DTD) .TP .B \fB-X0\fP Write output to filename.xml .TP .B \fB-Z\fP zap (erase) the output file .TP .B \fB-x\fP XML output to stdout (no DTD) .TP .B \fB-T\fP Walkfile output to .TP .B \fB-a\fP Read the scalpel audit.txt file .RE .PP Misc: .RS .TP .B \fB-d\fP debug this program .TP .B \fB-v\fP Enable SleuthKit verbose flag .SH AUTHOR The Sleuth Kit was written by Brian Carrier . .PP This manual page was written by Joao Eriberto Mota Filho for the Debian project (but may be used by others).