1. Can someone explain the difference between a sector (ex: files listed using fsstat or istat) and inodes in the context of Sleuth Kit? Are they the same thing?
2. As I understand it, fsstat gives me information about the entire drive, dividing it into sections (I've pasted some sample output below). In my sample output, I see that the "data area" is inodes 7662-3913661, and the inodes before those are for the FAT tables. This makes sense. But the "metadata information" section lists the range as 2-62496006. I read this article which explains fsstat in detail, but I can't figure out which is the actual full range for the drive!
3. I see that the istat command tells me whether a file is "Allocated" or "Unallocated". Using fls I can see if it is deleted or not (marked with an *). Is that the same thing? If not, can someone tell me the difference?
Thanks all!
Sample fsstat output:
- Code: Select all
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT32
OEM Name: BSD 4.4
Volume ID: 0x47a170c
Volume Label (Boot Sector): THOMPSON
Volume Label (Root Directory):
File System Type Label: FAT32
Next Free Sector (FS Info): 587598
Free Sector Count (FS Info): 2547008
Sectors before file system: 2
File System Layout (in sectors)
Total Range: 0 - 3913661
* Reserved: 0 - 31
** Boot Sector: 0
** FS Info Sector: 1
** Backup Boot Sector: 6
* FAT 0: 32 - 3846
* FAT 1: 3847 - 7661
* Data Area: 7662 - 3913661
** Cluster Area: 7662 - 3913661
*** Root Directory: 7662 - 7669
METADATA INFORMATION
--------------------------------------------
Range: 2 - 62496006
Root Directory: 2
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 2 - 488251
FAT CONTENTS (in sectors)
--------------------------------------------
7662-7669 (8) -> EOF
7670-7677 (8) -> EOF
7678-7685 (8) -> EOF
7702-7709 (8) -> EOF
7710-7717 (8) -> EOF
7718-7725 (8) -> EOF
7726-7733 (8) -> EOF
7734-7741 (8) -> 27534