fsstat

fsstat [-vV] [-i imgtype] [-o imgoffset] image [inode]

-v
    Verbose output. Shows extra details and information.

-V
    Display version information. Shows the version of the fsstat tool.

-i imgtype
    Image type. Specifies the type of image file to analyze (e.g., raw, aff, ewf). If not specified, autodetected.

-o imgoffset
    Image offset. Specifies the offset, in sectors, to the beginning of the file system inside the image file.

image
    Image file path. The path to the disk image file containing the file system.

inode
    Inode number (optional). If supplied, will show information about the specified inode.

fsstat examines a file system image and displays various statistics and information about it. It provides details about the file system's structure, including metadata like superblock information, inode tables, journal (if any), and free space. This command is particularly useful for forensic analysis, data recovery, and general file system troubleshooting. It supports various file system types, allowing for detailed inspection of different formats. fsstat helps understand file system layout, identify potential problems or corruption, and obtain essential information without mounting the file system. Output may include file system type, volume name, size, block size, inode count, free space information, and timestamps related to creation or modification. This information is critical for both incident response, when one needs to investigate how incidents happen, and regular maintennance.

The accuracy of the information displayed depends on the integrity of the file system image. Corruption in the image can lead to inaccurate or misleading results. Not all file system types are supported.

The output of fsstat provides a comprehensive overview of the file system's structure. The first part usually shows superblock information. Pay close attention to volume name, block size, inode count, and last written/mounted timestamps. The inode table section displays details about inodes (file metadata). Finally, free space information reveals how much space is available. Analyze this information to understand file system usage, identify anomalies, and assess data recovery possibilities.

If fsstat encounters an unsupported file system or a corrupted image file, it will display an error message. Make sure you are using the correct '-i' option for your image type. Sometimes, using the correct image offset ('-o' option) can resolve errors if the file system isn't located at the start of the image.

fsstat is part of The Sleuth Kit (TSK), an open-source collection of tools for forensic analysis. Its development is ongoing with continued support for more file systems. Its popularity has grown within the forensic community due to its versatility and its ability to quickly extract key file system characteristics.

mmls(1), fls(1), icat(1), istat(1), ffind(1)