fiwalk - Online in the Cloud

PROGRAM:

NAME

fiwalk - print the filesystem statistics and exit

SYNOPSIS

fiwalk [options] iso-name

DESCRIPTION

fiwalk is a program that processes a disk image using the SleuthKit library and outputs
its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format
used by the Weka Datamining Toolkit, or an easy-to-read textual format.

This application uses SleuthKit to generate a report of all of the files and orphaned
inodes found in a disk image. It can optionally compute the MD5 of any objects, save those
objects into a directory, or both.

OPTIONS

-c config.txt
read config.txt for metadata extraction tools

-C nn only process nn files, then do a clean exit

Include/exclude parameters; may be repeated:

-n pattern
only match files for which the filename matches the pattern. Example: -n
.jpeg -n .jpg will find all JPEG files. Case is ignored. Will not match
orphan files.

Ways to make this program run faster:

-I ignore NTFS system files

-g just report the file objects - don't get the data

-O only walk allocated files

-b do not report byte runs if data not accessed

-z do not calculate MD5 or SHA1 values

-Gnn Only process the contents of files smaller than nn gigabytes (default 2).
Use -G0 to remove space restrictions.

Ways to make this program run slower:

-M Report MD5 for each file (default on)

-1 Report SHA1 for each file (default on)

-f Report the output of the 'file' command for each

Output options: -m = Output in SleuthKit 'Body file' format

-A<file>
ARFF output to <file>

-X<file>
XML output to a <file> (full DTD)

-X0 Write output to filename.xml

-Z zap (erase) the output file

-x XML output to stdout (no DTD)

-T<file>
Walkfile output to <file>

-a <audit.txt>
Read the scalpel audit.txt file

Misc:

-d debug this program

-v Enable SleuthKit verbose flag

Use fiwalk online using onworks.net services