Provided by: sleuthkit_4.2.0-3_amd64
NAME
fiwalk - print the filesystem statistics and exit
SYNOPSIS
fiwalk [options] iso-name
DESCRIPTION
fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. This application uses SleuthKit to generate a report of all of the files and orphaned inodes found in a disk image. It can optionally compute the MD5 of any objects, save those objects into a directory, or both.
OPTIONS
-c config.txt read config.txt for metadata extraction tools -C nn only process nn files, then do a clean exit Include/exclude parameters; may be repeated: -n pattern only match files for which the filename matches the pattern. Example: -n .jpeg -n .jpg will find all JPEG files. Case is ignored. Will not match orphan files. Ways to make this program run faster: -I ignore NTFS system files -g just report the file objects - don't get the data -O only walk allocated files -b do not report byte runs if data not accessed -z do not calculate MD5 or SHA1 values -Gnn Only process the contents of files smaller than nn gigabytes (default 2). Use -G0 to remove space restrictions. Ways to make this program run slower: -M Report MD5 for each file (default on) -1 Report SHA1 for each file (default on) -f Report the output of the 'file' command for each Output options: -m = Output in SleuthKit 'Body file' format -A<file> ARFF output to <file> -X<file> XML output to a <file> (full DTD) -X0 Write output to filename.xml -Z zap (erase) the output file -x XML output to stdout (no DTD) -T<file> Walkfile output to <file> -a <audit.txt> Read the scalpel audit.txt file Misc: -d debug this program -v Enable SleuthKit verbose flag
AUTHOR
The Sleuth Kit was written by Brian Carrier <carrier@sleuthkit.org>. This manual page was written by Joao Eriberto Mota Filho <eriberto@debian.org> for the Debian project (but may be used by others).