ftdump

ftdump [options]

-a
    Display the allocation status (allocated or unallocated) of the file or directory.

-i
    Display inode information (this is the default behavior if no other display options are specified).

-d
    Display the data unit addresses (blocks/clusters) that comprise the file's content.

-s
    Display the raw content of the file. This option dumps the actual data associated with the inode.

-c
    If the specified inode is a directory, display its contents, including the names and inode numbers of its entries.

-o
    Specify the sector offset from the beginning of the image to the start of the file system. This is crucial for images containing multiple partitions.

-f
    Specify the file system type. If not provided, ftdump attempts to auto-detect it. Examples include fat, ntfs, ext2, ext3, ext4, hfs, iso9660, raw.

-v
    Enable verbose output, providing more detailed information about the operation and file system parsing.

<image>
    Path to the disk image file or device containing the file system to be analyzed (e.g., /dev/sda1, disk_image.dd).

<inode_num>
    The inode number of the file or directory within the file system to display. This number is typically obtained using other TSK tools like fls or ils.

ftdump, a utility from The Sleuth Kit (TSK), is a powerful command-line tool used in digital forensics to extract and display the content and metadata of a specific file or directory located within a raw disk image or partition. Unlike mounting a live filesystem, ftdump operates directly on the image, allowing investigators to access data from allocated, unallocated, or corrupted areas without altering the original evidence. It primarily requires the inode number of the target file or directory and the path to the disk image. The command can display file content in various formats, including raw or ASCII, and provides crucial details such as file size, timestamps, and data unit addresses. It's an essential tool for deep-dive examinations of individual files or directory structures during a forensic investigation, complementing other TSK tools for a comprehensive analysis.

ftdump operates on raw disk images, meaning it does not modify the original evidence. However, correct interpretation of its output often requires a good understanding of file system structures. It relies on accurate inode numbers, which must be obtained beforehand. Using ftdump on a live, mounted file system is generally discouraged in forensic contexts to prevent data alteration.

ftdump is typically utilized as a critical step within a broader digital forensic workflow. Investigators commonly begin by identifying relevant partitions using tools like mmls, then enumerate files and directories and their associated inode numbers with fls or ils. Once a specific inode of interest (e.g., for a suspicious file or directory) is identified, ftdump is employed to extract and display its detailed metadata and raw content for in-depth analysis, complementing other TSK tools like icat for full file recovery or istat for inode statistics.

ftdump is an integral part of The Sleuth Kit (TSK), a widely recognized suite of open-source command-line tools for digital forensics. TSK was initially developed by Brian Carrier, starting in 2001, to provide advanced and reliable disk image analysis capabilities beyond what was commercially available. As TSK evolved, ftdump emerged as a specialized utility for deep inspection of individual file and directory structures. Its development has consistently focused on maintaining forensic integrity by allowing non-intrusive analysis of various file system types within disk images.

fls(1), ils(1), icat(1), istat(1), mmls(1)