NAME

       tsk_comparedir  -  compare  the  contents  of a directory with the contents of an image or
       local device.

SYNOPSIS

       tsk_comparedir [-vV] [-n start_inum ][ -i imgtype ][ -b dev_sector_size ][-o sector_offset
       ] image comparison_directory

DESCRIPTION

       tsk_comparedir  compares  the  contents  of image to the contents of comparison_directory.
       This can be useful for detecting rootkits and when testing.  Rootkits can be  detected  by
       comparing  the  contents  of  a  local  directory  and  a  local raw device.  The rootkits
       typically don't hide data when it is read directly from the raw device.

       The arguments are as follows:

       -o sector_offset
              Sector offset for a partition in the image or device to compare with.

       -n start_inum
              Starting inum for a directory in the image to start the comparison at.

       -v     verbose output to stderr

       -V     Print version

       -i imgtype
              The format of the image file (use '-i list' for  supported  types)  If  not  given,
              autodetection methods are used.

       -b dev_sector_size
              The  size  (in bytes) of the device sectors If not given, autodetection methods are
              used.

EXAMPLES

       To compare the directories in image.dd to those in directory:

            # tsk_comparedir ./image.dd ./directory

AUTHOR

       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>

                                                                                TSK_COMPAREDIR(1)