Output Filesystem Information as JSON using The Sleuthkit
C++ Python Other
Latest commit 161493e May 27, 2015 @jonstewart Print out attribute data runs per in the inode map. Does not yet atte…
…mpt to resolve conflicts and/or mark overwritten runs.



Copyright 2010-2015, Stroz Friedberg, LLC


fsrip is a simple utility for extracting volume and filesystem information as JSON from disks and disk images in bulk. fsrip uses The Sleuthkit to do the heavy lifting.

fsrip is released under version 2 of the Apache license. See LICENSE.txt for details.


fsrip <command> <evidence file segments>

Evidence file segments must be specified in the correct order. As long as the evidence file segments are in lexicographic order, the following Bash fu will work, using a wild card for the segment number:

fsrip count `ls path/to/image.E*`


  • info

    Output one JSON record concerning the disk image, its volume system, and volumes and filesystems, but not directory entries.

  • count

    Output the total number of directory entries discovered in the disk image.

  • dumpfs

    Output one JSON record per line, detailing all metadata for a directory entry, for all directory entries discovered in the disk image. The JSON record hews closely to TSK_FS_FILE in The Sleuthkit, with a few differences. Here is an example:


    "fs":{"byteOffset":1048576,"blockSize":512,"fsID":"f7c7b628"}, "path":"Documents/", "physicalSize":4096, "meta":{"addr":9839041,"atime":1344312000,"content_len":8, "crtime":1340828653,"ctime":0,"flags":5,"gid":0,"mode":511, "mtime":1340828652,"nlink":1,"seq":0,"size":4061,"type":1,"uid":0}, "name":{"flags":1,"meta_addr":9839041,"meta_seq":0, "name":"SANS-talk.html","shrt_name":"SANS-T~2.HTM","type":5, "dirIndex":1}, "attrs":[{"flags":3,"id":0,"name":"","size":4061,"type":1, "rd_buf_size":0,"nrd_allocsize":4096,"nrd_compsize":0, "nrd_initsize":4061,"nrd_skiplen":0,"nrd_runs":[{"addr":1531152, "flags":0,"len":8,"offset":0}]}] }

  • dumpfiles

    Output a JSON record of file metadata with newline, followed by the size of the file contents (8 bytes in binary), followed by the file contents, with slack, and then repeated again for the next file until all files have been output. extract.py and hasher.py are examples of python scripts which can read this output.

  • dumpimg

    Output entire disk image to stdout.


fsrip depends on the Boost C++ library the Sleuthkit, and Scope. It uses SCons as a build tool. The build script will also build fsrip with libewf and afflib support, though these are technically optional dependencies. libewf and afflib have their own dependencies, the most notable being zlib and libcrypto. Prior to building fsrip, you must clone the Scope repository and create a symlink from the scope directory into fsrip\vendors\ (e.g. ~\projects\scope\ -> ~\projects\fsrip\vendors\scope).

You can then build fsrip by typing:


and you should see output like this:

scons: Reading SConscript files ...
System is Darwin-11.4.2-x86_64-i386-64bit, x86_64
CC = clang, CXX = clang++
Checking for C library boost_program_options... (cached) yes
Checking for C library tsk3... (cached) yes
Checking for C library afflib... (cached) yes
Checking for C library libewf... (cached) yes
scons: done reading SConscript files.
scons: Building targets ...
clang++ -o build/src/main.o -c -g -stdlib=libc++ -Wall -Wno-trigraphs -Wextra -O3 -std=c++11 -Wnon-virtual-dtor src/main.cpp
clang++ -o build/src/tsk.o -c -g -stdlib=libc++ -Wall -Wno-trigraphs -Wextra -O3 -std=c++11 -Wnon-virtual-dtor src/tsk.cpp
clang++ -o build/src/walkers.o -c -g -stdlib=libc++ -Wall -Wno-trigraphs -Wextra -O3 -std=c++11 -Wnon-virtual-dtor src/walkers.cpp
clang++ -o build/src/fsrip -stdlib=libc++ build/src/main.o build/src/tsk.o build/src/walkers.o -ltsk3 -lboost_program_options -lafflib -lewf
scons: done building targets.

and you can then run fsrip like so:

./build/src/fsrip --help

fsrip, Copyright (c) 2010-2015, Stroz Friedberg, LLC
Built Oct 25 2012
TSK version is 4.0.0
Allowed Options:
  --help                produce help message
  --command arg         command to perform [info|dumpimg|dumpfs|dumpfiles|
  --ev-files arg        evidence files