fsstat

fsstat [-V] [-d] [-f <fstype>] [-i <imginfo>] [-o <offset>] [-p <part_type>] [-t <timezone>] [-m] [-u] [-e] <image> [<images>] [<inums>]

-V
    Display version information and exit.

-d
    Print debug information to stderr.

-f <fstype>
    Force file system type, e.g., fat, ntfs, ext2, udf.

-i <imginfo>
    File with image info (device, offsets, types).

-o <offset>
    Byte offset to file system start.

-p <part_type>
    Print partition type (for disk images).

-t <timezone>
    Time zone for output, e.g., EST5EDT.

-m
    Print only metadata information.

-u
    Print only usage statistics.

-e
    Display extended attributes (if supported).

fsstat is a command-line tool from The Sleuth Kit (TSK), a digital forensics platform for analyzing disk images and file systems. It extracts and prints detailed statistics about a file system's layout, metadata, and attributes without modifying the original data. Primarily used by forensic investigators, it auto-detects file system types like FAT, NTFS, ext2/3/4, HFS+, and more, revealing volume names, sizes, block counts, allocation units, root directory inodes, and superblock data.

Key outputs include file system type, volume serial numbers, cluster sizes, free/used space, journal info for journaling FS, and orphan file counts. Flags allow customization, such as forcing FS type, adjusting offsets for partitions, or focusing on metadata/usage only. It's read-only, preserving evidence integrity, and supports multiple images or specific inodes. Ideal for incident response, data recovery verification, and malware analysis by mapping FS structures non-interactively.

Unlike df or mount, fsstat provides deep, hex-level details from raw images, bypassing live system mounts. Output is structured for scripting or reports.

Requires raw access to images; may need elevated privileges. Not for live mounts—use on copies. Limited to TSK-supported FS types; errors on corruption.

Shows sections like FAT stats (OEM name, sectors, FAT copies), NTFS (MFT records, serial), Ext (inodes, blocks, mount time).
Example: FILE SYSTEM INFORMATION
--------------------------------
FILE SYSTEM TYPE: NTFS
VOLUME NAME: [No Name]
VOLUME SERIAL: 12345678ABCD

Install via apt install sleuthkit (Debian/Ubuntu) or yum install sleuthkit (RHEL). Source: https://github.com/sleuthkit/sleuthkit.

Developed by Brian Carrier as part of The Sleuth Kit (TSK), first released in 2001 from Autopsy/Sleuth Kit origins. Evolved with TSK 4.x+ for modern FS like APFS, exFAT; actively maintained for forensics.

fls(1), istat(1), mmls(1), img_stat(1), df(1)