LinuxCommandLibrary

istat

Display inode information

SYNOPSIS

istat [-f fstype] [-i imgtype] [-o offset] [-b devsize] [-m] [-e] [-l] [-R] [-v] [-V] image [inode]

PARAMETERS

-f fstype
    Specify file system type (e.g., ext4, ntfs; use '-f list' for options)

-i imgtype
    Image format (e.g., raw, ewf; '-i list' for options)

-o offset
    File system start sector offset in image

-b devsize
    Device size in 512-byte sectors

-m
    Metadata-only output (filenames only, no block details)

-e
    Show extended inode info if available

-l
    List associated filenames/paths

-R
    Raw output, no file system block size correction

-v
    Verbose mode (progress to stderr)

-V
    Print version info

DESCRIPTION

The istat command, part of The Sleuth Kit (TSK), is a forensic analysis tool used to examine detailed information about a specific inode (index node) in a file system image. Inodes store critical metadata such as file permissions, ownership, timestamps (access, modification, change, birth), size, link count, and block pointers.

Primarily used in digital forensics investigations, istat extracts and formats this data from disk images without mounting the file system, preserving evidence integrity. It supports various file systems like NTFS, FAT, ext2/3/4, HFS+, and more via the -f option. Output includes standard inode fields and extended attributes if available.

For example, it reveals allocation status, data block locations, and associated filenames (with -l). This aids in timeline analysis, file recovery, and artifact detection. Unlike ls, it operates on raw images and provides low-level details essential for experts.

istat requires an image file and inode number, obtained via tools like fls. It's non-destructive and read-only, making it ideal for chain-of-custody workflows.

CAVEATS

Requires inode number from fls; not for live systems. Output varies by FS type. Large images may need big-memory systems.

TYPICAL OUTPUT

Includes: Inode #, Type (file/dir), Mode, UID/GID, Size, Atime/Mtime/Ctime, Blocks, Pointers (direct/indirect), Allocation status.
Example: inode: 123456
alloc: 1
uid / gid: 1000 / 1000

USAGE EXAMPLE

istat -f ext4 disk.img 42 — Shows metadata for inode 42 on ext4 image.

HISTORY

Developed by Brian Carrier as part of The Sleuth Kit (TSK), first released ~2001. Evolved from Autopsy framework; current versions (4.x+) support modern FS like APFS. Open-source under BSD-like license.

SEE ALSO

fls(1), icat(1), fsstat(1), mmls(1), img_cat(1)

Copied to clipboard