TSK KIT

TSK_COMPAREDIR

TSK KIT – compare the contents of a directory with the contents of an image or local device.

Usage

Syntax

tsk_comparedir [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] [-n start_inum] [-vV] image [image] comparison_directory

Options

	-i imgtype: The format of the image file (use '-i list' for supported types)
	-b dev_sector_size: The size (in bytes) of the device sectors
	-f fstype: The file system type (use '-f list' for supported types)
	-o sector_offset: sector offset for file system to compare
	-n start_inum: inum for directory in image file to start compare at
	-v: verbose output to stderr
	-V: Print version TSK KIT

Example

cyborg@cyborg:$ tsk_comparedir ./image.dd ./directory


TSK_RECOVER

TSK KIT  – recovers files to the output_dir from the image. By default recovers only unallocated files. With flags, it will export all files.

Usage

Syntax

tsk_recover [-vVae] [ -f fstype ] [ -i imgtype ] [ -b dev_sector_size ] [ -o sector_offset ] [ -d dir_inum ] image [images] output_dir

Options

        -i imgtype: The format of the image file (use '-i list' for supported types)
	-b dev_sector_size: The size (in bytes) of the device sectors
	-f fstype: The file system type (use '-f list' for supported types)
	-v: verbose output to stderr
	-V: Print version TSK KIT
	-a: Recover allocated files only
	-e: Recover all files (allocated and unallocated)
	-o sector_offset: sector offset for a volume to recover (recovers only that volume)
	-d dir_inum: Directory inum to recover from (must also specify a specific partition using -o or there must not be a volume system)

Example

cyborg@cyborg:$ tsk_recover ./image.dd ./recovered


TSK_LOADDB

TSK KIT – tsk_loaddb loads disk information from image to a SQLite database. This database can then be used by tools in other languages for analysis. By default, the database is stored in the same directory as the image with “.db” appended to the name or the database name can be specified with ’-d’.

Usage

Syntax

tsk_recover [-vVae] [ -f fstype ] [ -i imgtype ] [ -b dev_sector_size ] [ -o sector_offset ] [ -d dir_inum ] image [images] output_dir

Options

	-k: Don't create block data table
	-d output_dir: The directory to store the database in (default is the same directory as the image)
	-i imgtype: The format of the image file (use '-i list' for supported types)
	-b dev_sector_size: The size (in bytes) of the device sectors
	-v: verbose output to stderr
	-V: Print version  TSK KIT

Example

cyborg@cyborg:~$ tsk_loaddb -i aff file_000.aff -d DIR2


TSK_GETTIMES

TSK KIT  – Collect MAC times from a disk image into a body file.

Usage

Syntax

tsk_gettimes [-vV] [ -f fstype ] [ -i imgtype ] [ -b dev_sector_size ] [ -z zone ] [ -s seconds ] image [images]

Options

        -v: verbose output to stderr
	-V: Print version TSK KIT
	-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
	-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)

Example

cyborg@cyborg:~$ tsk_gettimes file_000.aff 
0|vol2/16GB        (Volume Label Entry)|3|r/rrwxrwxrwx|0|0|0|0|1444087332|0|0
0|vol2/ldlinux.sys|4|r/r--x--x--x|0|0|37512|1444847400|1444087332|0|1444087331
0|vol2/.disk|6|d/drwxrwxrwx|0|0|8192|1444847400|1444087334|0|1444087332
0|vol2/.disk/base_installable|1543|r/rrwxrwxrwx|0|0|0|1444069800|1444087334|0|1444087332
0|vol2/.disk/cd_type|1544|r/rrwxrwxrwx|0|0|15|1444847400|1444087334|0|1444087332
0|vol2/.disk/info|1545|r/rrwxrwxrwx|0|0|34|1444847400|1444087334|0|1444087332
0|vol2/.disk/release_notes_url|1548|r/rrwxrwxrwx|0|0|25|1444847400|1444087334|0|1444087332
0|vol2/README.diskdefines|9|r/rrwxrwxrwx|0|0|206|1444847400|1444087334|0|1444087332
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?