312-49v10 Exam QuestionsBrowse all questions from this exam
Go to Exam

312-49v10 Exam - Question 536

A CHFI expert creates a forensics image of a pen drive using AccessData FTK Imager during a computer forensics investigation. The investigator uses The Sleuth Kit (TSK) to examine an ext4 file system on a Linux disk image and suspects data tampering. The expert decides to verify inode metadata for a critical file. However, he notes an unexpected block allocation in the inode details. Which TSK command-line tool and argument should the investigator utilize to examine the addresses of all allocated disk units for the suspicious inode?

Show Answer
Correct Answer: D

The istat command in The Sleuth Kit (TSK) is used to display the details of a metadata structure, particularly inodes. The option '-B num' allows the investigator to examine the addresses of all allocated disk units for a particular inode. This command provides the detailed information needed to investigate the unexpected block allocation in the inode details.

Discussion

2 comments
Sign in to comment
ElbOption: D
Apr 27, 2024

D < https://sites.ualberta.ca/dept/chemeng/AIX-43/share/man/info/C/a_doc_lib/cmds/aixcmds3/istat.htm

ElbOption: D
May 29, 2024

The istat command displays the details of a metadata structure, i.e., inode -B num : This option displays the addresses of num disk units. It is useful when the inode is unallocated with size 0 but still has block pointer