You can a file’s LogFile sequence number with sleuthkit. First, you need to identify the inode corresponding to that file. The command is ifind.
infind: finds the meta-data structure that has data_unit allocated a data unit or has a given file name. In some cases any of the structures can be unallocated and this will still find the results.
Find the inode of the file using ifind #
sudo ifind -a -f ntfs -n 'Windows/System32/config/SAM' /mnt/ewf/ewf1Once you find the inode, you can use istat to find the associated metadata.
istat displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.
Find the file’s metadata using istat #
sudo istat -f ntfs /mnt/ewf/ewf1 249390Normally, istat should display the file’s metadata. At the top of the output, there should be the LogFile Sequence number. There is also a lot of additional data, that is specifically important for finding file creation/modification/access dates.
Normally, istat should display the file’s metadata. At the top of the output, there should be the LogFile Sequence number. There is also a lot of additional data, that is specifically important for finding file creation/modification/access dates.
