hi all
i was wondering if someone could provide some insight into why this command is failing to run.
echo this is a new test file > new test
ls -li ./newtest
1442011 -rw-r–r– 1 root root 24 Aug 28 1020 ./newtest
istat 1442011
Missing image name and/or address
usage istat [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-rvV] image inum
-B num force the display of NUM address of block pointers
-r display run list instead of list of block addresses
-z zone time zone of original machine (i.e. EST5EDT or GMT)
-s seconds Time skew of original machine (in seconds)
-i imgtype The format of the image file (use '-i list' for supported types)
-b dev_sector_size The size (in bytes) of the device sectors
-f fstype File system type (use '-f list' for supported types)
-o imgoffset The offset of the file system in the image (in sectors)
-v verbose output to stderr
-V print version
i am running this on a kali VM if that is of any help.
thanks
michael
Missing image name and/or address
usage istat [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-rvV] image inum
That needs the image argument.
Like
http//
image [images]
The disk or partition image to read, whose format is given with ā-iā. Multiple image file names can be given if the image is split into multiple segments. If only one image file is given, and its name is the first in a sequence (e.g., as indicated by ending in ā.001ā), subsequent image segments will be included automatically.
I.e. the command is intended to be unsed on images, not on (mounted) filesystems.
I presume that the istat in Kali is similar to the one in Sleuthkit.
Maybe you want to run
find -inum 1442011
and/or
stat ./newtest
jaclaz