Re: [sleuthkit-users] Data sizes stats Allocated vs Unallocated

[Alex N. <ajn...@cs...>]

Short answer: Nothing's immediately available.  Something would not be hard to code up, though.

I think the quickest answer you'd get---person-quick, not necessarily machine-quick---would be just summing the size of all allocated files and directories, identified by inode/MFT entry to account for multiple hard links.  Subtract that sum from the image size.  You should use tsk_loaddb or fiwalk to do the walk for sizes.

Do note that this will be a rough estimate of allocated space usage.  You'd get allocated regular files, likely the dominant space consumers; but you might not get directories (sometimes noted as 0 bytes long), or hidden or otherwise irregular metadata (e.g. alternate data streams and indices in NTFS).  I think Windows' Volume Shadow Copies will also be missed with The SleuthKit's current tooling (anyone else, please correct me if I've missed something recent).  But in most cases, the allocated files would be good enough for eyeballing.

--Alex


On Mar 14, 2014, at 09:38 , Brian McHughs <br...@in...> wrote:

> Is there a command that will give me the Allocated and Unallocated data sizes of an E01 image?
> 
> I would like to be able to quickly look at an E01 image file and see how much of its contents are allocated vs unallocated.
> 
> Thanks!
> Brian McHughs
> 
> 
> br...@in... (email)
> www.indexed.io (web)
> 888.840.0709 x101 (office)
> 303.900.3364 (cell)
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org