SYNOPSIS

fiwalk [options] iso-name

DESCRIPTION

fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.

This application uses SleuthKit to generate a report of all of the files and orphaned inodes found in a disk image. It can optionally compute the MD5 of any objects, save those objects into a directory, or both.

OPTIONS

-c config.txt

read config.txt for metadata extraction tools

-C nn

only process nn files, then do a clean exit

Include/exclude parameters; may be repeated:

-n pattern

only match files for which the filename matches the pattern. Example: -n .jpeg -n .jpg will find all JPEG files. Case is ignored. Will not match orphan files.

Ways to make this program run faster:

-I

ignore NTFS system files

-g

just report the file objects - don't get the data

-O

only walk allocated files

-b

do not report byte runs if data not accessed

-z

do not calculate MD5 or SHA1 values

-Gnn

Only process the contents of files smaller than nn gigabytes (default 2). Use -G0 to remove space restrictions.

Ways to make this program run slower:

-M

Report MD5 for each file (default on)

-1

Report SHA1 for each file (default on)

-f

Report the output of the 'file' command for each

Output options: -m = Output in SleuthKit 'Body file' format

-A<file>

ARFF output to <file>

-X<file>

XML output to a <file> (full DTD)

-X0

Write output to filename.xml

-Z

zap (erase) the output file

-x

XML output to stdout (no DTD)

-T<file>

Walkfile output to <file>

-a <audit.txt>

Read the scalpel audit.txt file

Misc:

-d

debug this program

-v

Enable SleuthKit verbose flag

AUTHOR

The Sleuth Kit was written by Brian Carrier <[email protected]>.

This manual page was written by Joao Eriberto Mota Filho <[email protected]> for the Debian project (but may be used by others).