How to determine largest file within a .dd extention

tm2004 · May 25, 2023, 10:01pm

Hello. I am a student learning about the Sleuth Kit. One of my assignments asked to look into a .dd file (imagedisk.dd) and asked, “Which file on diskimage.dd is largest? Explain how you determined this information.”

I have been researching this for hours with no luck. I ran a command “fls -o 128 imagedisk.dd” to view the file structure. I am able to see all files listed, but the do not give me any indication of size. I then ran a istat command to look into each file, but with several different files, it would take me a long time. I assume there is a better route.

Any suggestions would greatly be appreciated. I am running my command through a window OS.

Thank you in advance!

bgrundy · May 26, 2023, 2:47pm

One way you could do this is to use “body file” output (see here: Body file - SleuthKitWiki). This would give you a pipe delimited output that includes the filenames and sizes. Parse the fields and sort by size for your result.

You can use fls (on a mounted image) or fiwalk to produce the body file. There may be more efficient ways, but this should work.

Topic		Replies	Views
Is it possible to get file information with Sleuth Kit? The Sleuth Kit Help	2	1055	February 11, 2020
Zeroing file inside an image The Sleuth Kit Development	2	318	September 14, 2023
trying to find out what file is located at offset The Sleuth Kit Help	2	1872	December 31, 2021
Beginner's question: Checking for a manipulated time stamp in a file The Sleuth Kit Help	0	485	March 14, 2022
Parse whole MFT with icat? The Sleuth Kit Help	1	1211	April 10, 2021

How to determine largest file within a .dd extention

Related Topics