1TSK_COMPAREDIR(1) General Commands Manual TSK_COMPAREDIR(1)
2
6 tsk_comparedir - compare the contents of a directory with the contents
7 of an image or local device.
8
10 tsk_comparedir [-vV] [-n start_inum ] [ -f fstype ] [ -i imgtype ] [ -b
11 dev_sector_size ] [ -o sector_offset ] image [images] comparison_direc‐
12 tory
13
15 tsk_comparedir compares the contents of image to the contents of com‐
16 parison_directory. This can be useful for detecting rootkits and when
17 testing. Rootkits can be detected by comparing the contents of a local
18 directory and a local raw device. The rootkits typically don't hide
19 data when it is read directly from the raw device.
20 The arguments are as follows:
22 -o sector_offset
24 Sector offset for a partition in the image or device to compare
25 with.
26 -n start_inum
28 Starting inum for a directory in the image to start the compari‐
29 son at.
30 -v verbose output to stderr
32 -V Print version
34 -f fstype
36 Specify the file system type. Use '-f list' to list the sup‐
37 ported file system types. If not given, autodetection methods
38 are used.
39 -i imgtype
41 The format of the image file, such as raw. Use '-i list' to
42 list the supported types. If not given, autodetection methods
43 are used.
44 -b dev_sector_size
46 The size (in bytes) of the device sectors. If not given,
47 autodetection methods are used.
48 image [images]
50 The disk or partition image to read, whose format is given with
51 '-i'. Multiple image file names can be given if the image is
52 split into multiple segments. If only one image file is given,
53 and its name is the first in a sequence (e.g., as indicated by
54 ending in '.001'), subsequent image segments will be included
55 automatically.
56
59 To compare the directories in image.dd to those in directory:
60 # tsk_comparedir ./image.dd ./directory
62
66 Brian Carrier <carrier at sleuthkit dot org>
67 Send documentation updates to <doc-updates at sleuthkit dot org>
69 TSK_COMPAREDIR(1)