NAME¶

tsk_comparedir - compare the contents of a directory with the contents of an image or local device.

SYNOPSIS¶

tsk_comparedir [-vV] [-n start_inum ][ -i imgtype ][ -b dev_sector_size ][-o sector_offset ] image comparison_directory

DESCRIPTION¶

tsk_comparedir compares the contents of image to the contents of comparison_directory. This can be useful for detecting rootkits and when testing. Rootkits can be detected by comparing the contents of a local directory and a local raw device. The rootkits typically don't hide data when it is read directly from the raw device.

The arguments are as follows:

-o sector_offset: Sector offset for a partition in the image or device to compare with.

-n start_inum: Starting inum for a directory in the image to start the comparison at.

-v: verbose output to stderr

-V: Print version

-i imgtype: The format of the image file (use '-i list' for supported types) If not given, autodetection methods are used.

-b dev_sector_size: The size (in bytes) of the device sectors If not given, autodetection methods are used.

EXAMPLES¶

To compare the directories in image.dd to those in directory:

# tsk_comparedir ./image.dd ./directory

AUTHOR¶

Brian Carrier <carrier at sleuthkit dot org>

Send documentation updates to <doc-updates at sleuthkit dot org>

Source file:	tsk_comparedir.1.en.gz (from sleuthkit 3.2.3-2)
Source last updated:	2011-10-14T17:55:29Z
Converted to HTML:	2017-06-07T16:56:26Z