PURPOSE OPERATION 16 & 32 Bit Versions 64 bit Versions OPTIONS COMMAND_LINES SAMPLE OUTPUTS SAMPLE BATCH RELATED PROGRAMS
One liner: DISKCAT creates an evidentiary inventory/listing/catalog of a the files in the seized tree/directory.
GET diskcat.exe THIS IS A COMMAND LINE PROGRAM
GET diskcat64.exe THIS IS A COMMAND LINE PROGRAM many options reduced.
The programs are constantly being updated/changed/enhanced. Send me an email: dm at dmares dot com if you wish the current correct version and hash of the exe file.
Food For thought
1. Initial Evidence Cataloging: Who doesn't inventory seized items?? Use diskcat to create an initial inventory of the files on your suspect system.
2. Inventory Work Directory: When performing you examination, create routine listings of key folders and/or files. Routine "inventory"
3. Discovery List: Create a useable and (spreadsheet compatable) listing for discovery purposes.
4. Personal Catalog: Day to day, create listing of your personal diretory listing. OR: use it to find filenames you forgot where you put them.
Table of Contents:
PURPOSE Why this program was written.
OPERATION How this program operates.
OPTIONS Options available to use. Learn them well.
COMMAND LINES Suggested command lines with options.
RELATED PROGRAMS Programs similar, and used together for better forensics
Known bug: or as I prefer: Operational Challenge
When cataloging the entire root, the "\System Volume Information" folder is listed in the output. But when
using the -S (exclude alternate data Streams) the program fails to include this "System Volume Information"
folder and its generally two files within. Since this directory,and its contents is usually not of any
concern with data streams, and I really can't figure out why it isn't listed with the -S option, I'm not
going to try and fix the problem. Just know that file counts between the two runs, may be off by 2. The
anomoly only occurs when cataloging the root of NTFS file systems.
Virus aficionados read this:
Some (actually only one mainline) virus programs, incorrectly identify the exe as containing a virus. If
this is the case, please check the exe with other reliable virus checkers, as this mis-identification
is common.
If you are using the 64bit version, be aware that many of the newer more fine tuned options may not be available.
(06-20-2024: added --margin=xx option to include a space margin at beginning of each line)
(01-12-2024: the date searches: ie: -l nn, -g nn, --older=YYYYMMDD, --newer=YYYYMMDD have been updated and --AND removed
(12-31-2023: added/updated to a 64 bit beta version.)
(05-29-2023: fixed/added the --ZULU=OFF option when the ini file has ZULU=ON set)
(03-01-2023: fixed a logic problem with the older || newer date tests)
(03-05-2022: added a logical AND option (--AND) to invoke a logical AND date test between --newer --AND --older options.)
(03-05-2022: fixed the --newer, and --older logical OR date testing options. read carefully.)
(02-12-2022: corrected errors in the -l -g date test options.)
(01-27-2022: added the PRE suffix to the -88xx option (-8830PRE) to place filename at beginning of record.)
(01-01-2022: fixed a small bug (operational challenge) in the -l (newer) and -g (older) options.)
(06-06-2023: corrected date representation when file date is not in current time (ie: DST vs SDT), see operation section.)
(03-14-2023: added --NO_ADS option to NOT show any ADS files in the listing.)
(01-11-2023: added --recurse options to turn off recurse tree.)
(09-19-2019: added milliseconds to time displays with --milli option.)
(04-20-2019: minor time display upgrade for -TACW, see -T options.)
(03-15-2019: added --UNICODE=filename option to have a Unicode output file)
(10-22-2016: enhanced the -88 option to include a column of the 8~3 filename)
(12-05-2013: fixed date display when windows reports a date of 00-00-0000, see -T option)
(11-26-2013: added (.) dot to -T option
(07-13-2012: fixed -I option
(07-13-2012: added --sequence #)
(12-20-2011: added --levels options)
(12-2011: fixed bug in processing ADS's and file extensions)
GET diskcat.exe THIS IS A COMMAND LINE PROGRAM
(64 Bit version is now available in beta form. GET diskcat64.exe THIS IS A COMMAND LINE PROGRAM
NOTE: These (hash, diskcat, and upcopy) command line programs WILL process files with long filenames ( > 255 characters) which is seen
more and more in modern file systems. If you are using other cataloging, hashing or copying software, you should test its capability to process
long filenames. I have found and tested a significant number of popular stand alone cataloging, copying and hashing programs
Forensic file copying Article tests over 40 "forensic" file copiers
Forensic Hashing Article tests over 30 "forensic" hash programs.
ZIP-IT for forensic retention Article test a few zipping programs.
and have found they have not been updated sufficiently to handle long filenames. Some cannot process long filenames at all.
Others can only find and process a single file at a time. Not very useful in forensics.
And others may be able to find a file thru the GUI, but can't do a recursion. So I urge anyone who is planning on using a program that
recurses a tree on current filesystem, please check the capability of your program on the filesystem you intend on using it on. I have created a
compressed .rar file containing a number of files that can stress your process.
There are a few sample data files available for you to test any of your cataloging software against. Email me at: dm@dmares.com and I will send you the link for the sample data files.
Note: Some of the more unusual options come and go. So if you find an option you like, test it. If it doesn't seem to work. Let me know, I'll check to see if it has been replaced or updated.
Diskcat, in its basic operation, will traverse the entire tree/directory structure of the top level directory you point it to (usually root, or top level of the suspects tree) and create a listing disk(CATalogue) of all files and/or directories on a hard, USB or mounted image. However, if the image is mounted, it is not diskcats responsibility to make certain the mounting process did in fact MOUNT all the necessary trees. Individual directories (-p option) can also be chosen to process depending on the users needs.
It is designed to be used for investigative/forensic purposes by creating a catalog of files in a targeted tree. The output is a fixed length record which lends itself to importation into a database for further analysis or sorting. However, the basic design limits the path display to about 60 characters which may not be large enough. To accomodate longer paths/filenames research the -w (width) option for larger pathlengths. Or set an ini file option for global -w changes. Notice the default path truncation in normal mode will truncate the top level of the directory tree and display the last X characters depending on the -w option used.
D: \...\D1\CYRILLIC_NAMES\Cyrillic_NAMES_W_ADS_PK.zip 93971 ....... 01/01/2020 07:34w EST
The versions after March 2019, which have in the banner a reference to the version of "32 bit unicode" will now process path/filenames longer than the 255 character limit (and \\UNC\ names) previously set in Windows. This new upper limit is the *IX compatability of 32000 characters. In order for it to work, the banner must have the unicode signature in it.
In addition to creating a catalog listing, it has many options which can be used to increase the forensic use. For instance, creating a CRC, MD5 or SHA1 hash for each file for security and file validation (however for pure hashing of data, the hash.exe program is suggested).
Diskcat can check the header of each file to determine file type or mislabled file. This "header" check capability is old, and may not be sufficient to process current day headers. Test the capability if you want the header checks. If the +H (upper case H) option is used, it will place in the output file ONLY those files which match the types of headers the user provided in the “ header.fil”. As of August 2006, the user can also designate a "Category" to place each header in.
It can also search for: specific file types (ie: -f *.exe *.doc, *.etc); files of specific dates or sizes (less or more than x days old -g 100, -l 200c; greater or less than x bytes,-G 10000 -L 30000, etc).; and can, in effect, be programmed to search for files meeting specific criteria. This operation can turn Diskcat into a “findfile” program.
When “cataloging” files from multiple/different suspect/seized disks it can “tag” each output
record with the specific label indicating the disk that contained that file.
SUSPECT1 | D:\suspect_folder\....
SUSPECT2 | D:\sustemp2_folder\....
This leads to easier location of files at a later date when searching for them on various seized evidence.
When run on an NTFS file system, the 32 bit version, by default it also shows/lists files with associated Alternate Data Streams (--ADSONLY), and of showing the owner of the file (-u or -U username)
For each file listed it can execute a specific program or DOS command on that file. Again, this is an old option and should be thoroughly tested before put into production. For instance, if the user asked Diskcat to locate all *.zip files it would list all those files with a .zip extension. Then the user could ask it to execute the PKZIP -v command on all the .zip files found. This would effectively produce a listing of all the files contained in all .zip files found on the disk being examined. NOTE: I have not tested this options for many years. If you use it, please test it and advise the results.
Other programs could be run for personal directory maintainance. Diskcat could locate files over XX days old, and then run the ms-dos del command on those files to clean out the disk.
A user-designed batch file could also be run on files selected by Diskcat, thus allowing the user to accomplish almost any operation on the file. The batch file scenario is excellent for forensic integrity and repeatability (if thats a word). This way you will always run the same command and "hopefully" get the same formatted output records for the next analysis step, or inclusion into a report. So you don't get the opposition question of: (Why did you do it this way for my client, and not the same for other clients. Are you prejudiced against my client?).
As and aside: you might say, but the DIR command with the appropriate options can produce a catalog of the files in a tree/directory also. You
might want to start with the command
dir /n /r /s
This will get you close, but no cigar. And don't even try explorer to get a tree listing.
And a smart defense expert will tear it apart. But don't believe me, try it yourself.
Another very useful feature is the -C option for CRC, or cyclic redundancy check, and the -5 option for 128-bit MD5 hash, or the --SHA option for the SHA-1 calculation.
The -5 option generates an MD5 hash of every file it encounters. For this reason, you should ensure that you have turned off the update last access date in the registry, or use the -R option.
The --SHA (thats a minus minus option) generates the SHA-1 value of the file.
These options are quite helpful when using the program to check for a corrupted file or program. These options generate their appropriate value and places it at the END of the record. However, if this is your need, I suggest using the hash.exe program. It is better suited for hashing processes.
But, as mentioned before, if you are merely wanting to hash files, use the hash.exe program.
Diskcat's default is to recurse the entire directory tree from its default directory (if you were at root, this means the entire drive), and to list every file to the screen. It produces an output listing which is normally in a four column format. The first column is the filename including the path (defaulted to 60 characters, modified with the -w XX option); the second column is filesize; and the third column is the file attributes followed by the last write date. If an output is selected, the disk serial number of the source drive is added as a default fourth column as seen below at Sample Output.
Columns such as CRC, date, time, disk “Label”, file type, file owner are added as the various options are chosen.
Long filenames ( > 255 characters) are handled effortlessly. For extremely long filenames the -w nn, or -V (variable
width) option should be considered to include a displayed path that is long enough.
A lot of programs, inadvertently adhere to the old windows limit of 255 characters total path/filename. Long filenames ( greater, > 255 characters) are handled with no problem. see the --showlong option, and download sample long filename files.
Versions after March 2019 have an option --UNICODE=filename, which will create an output log file that contains the unicode (16-bit) filename of the file processed. If you are looking at files which contain unicode filename characters, consider adding this option. However, this output imports porely into a clean text editor because of the unicode format.
Command Line CAUTION CAUTION CAUTION:
The -p path and -f file_type options build a gigundo matrix (see options below) of paths and file types of
which to search. The best most efficient way is to always use a -p path_option and -f file_type option. Also
be cautious when using multiple file types with the -f option for logic/testing overlay. For instance: If you
use a format:
-f vc.* *.idb
and there are files of the name(s):
vc.70
vc.idb
When it builds the file search matrix, if will find both vc.* files (vc.70 and vc.idb) and list them in the
output. BUT BUT BUT, it will also look for and find the vc.idb file which fits the *.idb pattern, and will
list it in the output also, because it fits the *.idb test. SO you will get two instances of the vc.idb in
the output and count (once for matching vc.* and once for matching *.idb). Just a warning, so if you use
multiple -f file_types to search, be carefule about possible multiple matrix hits. This multiple matrix
matching can multiply exponentially by the number of -f filetypes asked for. Got it??? So best to only use
one file type -f at a time if you are unsure of the number of hits.
During June 2020, (when DST is in effect) I was playing with file dates that were both referencing January 01, 2020, and June 01, 2020. Obviously these two dates were in different GMT offset time settings, one was Eastern 4 hours, the other 5 hours off GMT. One was Daylight Saving Time, and the other was Standard time. A command prompt of DIR on the January 01, 2020 file showed a time of 08:34:
01/01/2020 08:34 AM 0 ZERO_BYTE.TXTNotice the time referenced 08:34 AM. However, when I looked at the time using Windows Explorer the time was displayed as: 07:34 AM. An hour difference. Mr Watson, something was amiss. I realized that because I was operating during June which was a different GMT offset than January (4 as opposed to 5 in January), the DIR command wasn't properly compensating for the 1 hour difference between DST and Standard times. The current (older version of diskcat) was not adjusting for the time difference either, just as DIR wasn't adjusting. So, I made a modification (fixed the operational challenge) in DISKCAT to properly adjust for the one hour GMT offset difference. Now (as of 6-6-2023) the version of DISKCAT properly displays the local times. If you use the --GMT or --zulu options, the GMT time has always been displayed properly. And as a seasoned forensicator (thats you, I think), you probably should always use GMT times (GMT setting is ini capable), for consistancy.
Sample Output
Below is a sample of the normal output. Notice the default output only includes the last write (modification) file date. File dates are NOT included in the default output. To obtain other file dates use the -t (time) option. (Filename length and spaces have been truncated in order to fit on the page.) Also notice the alternate data stream identifier ( .adata.) of the :junk.log file.
------------------------------------
WARNING WARNING Will Robinson
The output of diskcat is designed to go to standard error. So if you just use the general redirected command like:
diskcat > outputfile
you will not get the results expected. To get the output to redirect to an output file use
diskcat 2> outputfile
this redirects the error out to your file. But in real life, just use the -o output option.
It is what it was created for.
------------------------------------
Disk serial number is provided if the Label (-i) option is used. If the -I (Label ) option is used, then the serial number is replaced by that user-supplied label.
Output to a file included default columns. PATH SIZE ATTR MDATE MTIME TZ SERIAL # DISK LABEL D:\...\D1\CYRILLIC_NAMES\Cyrillic_NAMES_W_ADS_PK.zip 93971 ....... 01/01/2020 07:34w EST ACAF-B078 D_DRIVE D:\...\DISKCAT\release\D1\Cyrillic_NAMES_W_ADS_PK.zip 93971 A...... 01/01/2020 07:34w EST ACAF-B078 D_DRIVE D:\...\DISKCAT\release\TEST_BAT\diskcat_demo.zip 156516 A...... 04/17/2021 08:14w EST ACAF-B078 D_DRIVE D:\WORK\UNICODE\DISKCAT\release\diskcat_demo.zip 155644 A...... 12/22/2020 14:32w EST ACAF-B078 D_DRIVE D:\WORK\UNICODE\DISKCAT\release\ziptest.zip 169664 A...... 04/09/2020 16:54w EST ACAF-B078 D_DRIVE D:\WORK\UNICODE\DISKCAT\release\ziptest.zip:junk.log 457 .adata. 04/09/2020 16:54w EST ACAF-B078 D_DRIVE D:\WORK\UNICODE\DISKCAT\release\ziptest32.zip 427224 ....... 01/01/2020 11:34w EST ACAF-B078 D_DRIVE
Disk Labels
There is also an option (-I), for Identifier or insert, which provides for a literal tag or disk label to be added to the record. This option allows for an automatic labeling or a manual label input which may later be used to easily identify which disk the cataglog was made from. The automatic labeling is suggested when cataloging multiple disks in a forensic setting.
This labeling option is only allowed if you are using it in conjuntion with the -aO output option which creates/appends an output file containing the results of the program. The disk label is normally used when creating disk catalogs of numerous disks. You can provide a unique label (up to 9 characters long) for each disk. If the disk label ([-I label] option) is used, then the disk serial number is replaced by that label. It is suggested that all the disk labels, if used, be of the same length so that when the file is printed the disk labels all line up properly.
Another alternative to keying in a separate (-I) disk label each time using the -I option is to use the lower case -i option. The lower case option is an automatic number incrementing option. The program must be run from a default hard disk directory. It then looks for a file called DISKLABL in that directory. If it doesn’t find one it will create it. It picks up the 10 character ascii contents of the file DISKLABL; if none is there it starts the label numbers at 1001. This 1001 is used as the label to add to each record of the output file just as if you had keyed in -I 1001. The program then places the 1001 in the DISKLABL file and closes it.
Then, when the next disk is catalogued and the program finds 1001 (the last label number used) as the contents of the DISKLABL file it takes that 1001 and adds 1 to it to make it 1002. This 1002 then becomes the label to add to the output file records. It also replaces the DISKLABL contents with 1002 so the next time the program is run it will find 1002, and increase it to 1003 etc.
If, however, you wanted to start the numbering at a specific place such as a case number, or search site number, or alphanumeric number as labels, you should first create the DISKLABL file and place in it the ascii contents of the number you wish to start at less 1. For example, if you wanted it to start at MAR1001, the initial contents of DISKLABL should be MAR1000. The program will subsequently take care of the incrementing of the numbers. No provisions are made for the incrementing of the alpha section of the label. And the number part MUST be at the end.
The default disk label is the disk serial number (if no other label was chosen).
The 16 bit version is no longer supported.
There are certain differences between 16 and 32 bit versions:
FILE ACCESS TIME: Using any version of Diskcat with any of the following options: (-h, -z, +h, or -c) will alter the last access date on an NTFS file system. This may cause an evidentiary problem for some investigations. (See It’s About Time in the hash.exe documentation for a full explanation.)
The 32 bit NT version can be set to replace the original last access time of the file if the -R option is used. (This can also be accomplished with an environment variable of RESET.) When running the program without one of the options that “OPENS” a file the last access date is not altered. (You can verify this for yourself before using it on evidence. The command <mdir.exe> can be used to verify last access times of files on NTFS.)
The 64 bit version is almost identical to the 32 bit version. Even though the 32bit version says, "32 bit version", it should be able to process the large files found in a 64 bit environment and the user should test both versions before any actual production use. Especially since the odler/32bit version has more capability.
However, if you need an options found in the 32bit version that hasn't been included in the 64bit version, let me know and I'll put it in. However, it may take a few minutes. 😂
The only differences are that the 64 bit version has been recompiled and may run a little faster. Also, some of the options have slight modifications and the user should test each to see that it produces the correct output desired.
Also, some options in the 64bit version have been converted/ported to be environment capable. Such as setting an environment variable for the recursion. However, this same variable may have a different setting for each program, so be aware of its setting for the particular program.: SET RECURSE=ON.
So to summarize this segment. Check and test the options chosen to see which version 32 or 64 bit you wish to use.
Diskcat is INI capable.
This program is INI capable. INI keywords here are in [BOLD, ALL CAPS].
All options should be preceded by a (-) minus sign (with the exception of two of the +hH options). Some can be grouped together, and others MUST be grouped without a space(they will be specified as to which style to use). The options are grouped where approriate.
Some options are only active in the 32 bit version running on an appropriate file system because they deal with specific 32 bit items like MDS (Multiple Data Streams) or file times.
Cliff Notes of Options
Check full explanations below. These are just thumbnail explanations.-p + path(s): Process these paths. -p c:\windows c:\system32 --path=single_path_to_traverse; Only a single path is used in this -- option. -P: -Pnn: -P=nn: Pause after each screen of 20 lines default, or nn number of lines. -f + filespec: Files to process. -f *.obj *.md4 *.jpg -r: Turn off recurse. Default is to always recurse tree. --recurse=[ON|OFF]: Turn recurse on or off --norecurse: Turns off recurse, --recurse=off --showlong: Display filename with name greater than 250 characters. --levels=xx: Recurse the path/directories by only the xx value. --filename=single_file_type: Process only this single filetype, -x + filespec: E(x)clude these file type(s) from listing. -x *.exe *.dll *.docx --exclude=single_file_type_to_exclude: Only a single filetype to exclude. --exclude=*.exe -[oO] + outputname: Output file name: place the output to a filename. (-O appends). -o outputfile.txt --output=outputfilename: Same as -o except output is always appended to. -[oO] + [output_name]YY[YYMMDDhhmmss][=:][output_name]: Output filename uses this mask to create output filename. The output_name can either preceed or follow the YYYY.... format. --margin=xx: Add xx spaces at beginning of each line. -a: Append output file. -d + delimiter: Use this delimeter in the records. -d "|" --UNICODE=unicode_output_filename: Creates additional output file with unicode filenames. -V: Output records are variable length. Pipe (|) delimeters added by default. -w + #: Force output filename width to # characters. -w 120 -M: Prescan the files to determine the maximum filename width and set a -w # value. -N: Nameonly. Show/print only the path. --NAMEAFTER[=nn]: Place path at end of record. Default 50 char width, unless [=nn] is added. --sequence[=nnnnnn]: Add "sequence" number to beginning of each record. For number identification. --sequence=000000 -C + "litteral comment": Add a "comment" to the beginning of every record. -C CASE_XYZ_DATA -C + COMPUTERNAME[xx]: Add the current computername to beginning of record. Make xx default width. -I + label: Prepend/Insert this label at beginning of each record. --sequence[=nnn]: Prepend each record with a sequence. --sequence=1234 -v: No 'V'erbose. Do not print headers/footers to output file. --NOHEADER: Same as -v. DO NOT print headers/footers to output file. -1 + log_filename: Place log, accounting information in this file. --memo: Interactive dialog with user input add text to accounting/logfile. --memo=memofilename: Adds contents of memofilename to accounting/logfile. -S: --NO_ADS: --NOADS: --NO-ADS: Do Not list Alternate Data Streams. (see bug reference) --STREAMS, --STREAMS=[ON|OFF]: Do Not list Alternate Data Streams. --ADSONLY: ONLY show those files that contain Alternate Data Stream. -u: NTFS only. Attempt to find and display owner name of the file. -U ownername: NTFS only. Display only files with this ownername.
TIME - AGING OPTIONS -g=#[acw]: files greater than or equal ">=" # days old. [w is default, else ac needed] -g=100c (equal= sign mandatory) (days) -g=YYYY-MM-DD[acw]: files before this date, (YYYY-MM-DD preferred format) -g=2021-01-01 (equal= sign mandatory) --older=#[acw]: files greater than or equal # days old. --older=100 (equal= sign mandatory) --[older|before]=YYYY-MM-DD[acw]:files greater than or equal # days old. --older=2021-10-01, --before=2022-01-01 (equal= sign mandatory) -l=#[acw] files less than or equal "<=" # days old (ell, not one), [w is default, else ac needed] -l=100a (equal= sign mandatory) -l=YYYY-MM-DD[acw]: files less than of equal this date, (YYYY-MM-DD preferred format) -l=2021-10-10 (equal= sign mandatory) --newer=#[acw]: files less than or equal # days old. 'w'rite is default --newer=100 (equal= sign mandatory) --[newer|after|younger]=YYYY-MM-DD[acw]: files less than or equal this date, --newer=2021-10-10, younger=2022-01-01 (equal= sign mandatory) NOTE NOTE NOTE: the 'W'rite time is defaulted for both -l (less than days) and -g (greater than days). if you wish other, like last 'a'ccess or 'c'reate you need to add it -l=5a, -g=5c else it won't work. Don't confuse the -ta for listing/display only the access time, with -l=5a for acces date testing. TIME - DISPLAY OPTIONS -t[acw3]: show this/these times. Access, Create, M(w)modify, all 3, -ta displays: 10-20-2019 -T[acw3]: show this/these times in YYYY first. Access, Create, M(w)modify, all 3, -Ta displays: 2019-10-30 -t0: DO NOT display file times. -z: --zulu: --GMT: Display times in GMT/Zulu time zone. ini: ZULU=ON --ZULU=OFF: Use to turn off GMT time when ini ZULU=ON is found -R: RESET filetime to last access time, during CRC, MD5 calculation.
FILESIZE OPTIONS -L + #: List all files Lessthan # bytes in size. -L 20000 --lessthan=#: List all files Lessthan # bytes in size. --lessthan=20000 -G + #: List all files Greater than # bytes in size. -G 20000 --greater=#: List all files Greater than # bytes in size. --greater=20000 Don't confuse the upper case -GL (size) with the lower case -gl (date) options
-c: Add/Calculate CRC32 values. (don't forget to reset -R filetime) -5: --MD5: --HASH: Calculate MD5 hash values. (don't forget to reset -R filetime, see -5 below.) --SHA: Calculate SHA1 (160 bit) values. (don't forget to reset -Rfiletime) -A[ehrsmdD]: Show files with specified attribute. (upper and lower case -Ad -AD have different effect on directory listing.CR> -8: Add the DOS 8.3 filename to the end of the record. -88: Add the uppercase Long File Name to the end of the record. -88xx: Add xx length filename at end of record, with seperate field for extension. -88xxPRE In addition, place the filename at the beginning of the record for easier reading. -D + begin,count: When crc or md5 calculated, begin at begin bytes, process count bytes.
-p + path(s) If more than one directory is to be looked at, then add the paths here as appropriate. (diskcat -p c:\windows d:\work) [PATH]=path
Some options may conflict with one another, and be mutually exclusive. I have made every effort to notify the user when conflicts occur, or they are mutually exclusive. But when using convoluted mixtures of options, please test the results.
--path=single_path_to_traverse; Only a single path is used in this -- option. (diskcat --path=c:\only_this_path)
--showlong If there are files in the current path with path/filenames longer than 255 characters, a lot of programs fail to find and display them. Diskcat has not problem finding and displaying them. For ease of confirming that these files may or may not exist, the --showlong option will display ONLY those whose path/filename is greater than the 255 character limit. When testing software, it might be advisable to confirm that it works on long filenames. If you are unsure that you have test files, you can download a sample 7-zip file here. Unzip the 7z file, then unzip the contents maintaining full path. You should end up with about 80+ files with paths longer than 255 characters. (diskcat --showlong)
--levels=xx; (12/2011) The --levels option recurses the path/directories by only the xx value. So if xx was a 2, then the recursion will only recurse two directory levels from the top or starting location dictated by the -p option. So if you are starting X levels down based on the -p option, this will add to the number of total levels reflected in the output. This option ONLY produces a listing of directories, and the -AD option is also needed. If the -AD option is not included, results are unexplained, and it produces trash or may not run. (diskcat --levels=3)
-f + filespec If more than one file type is needed, add them here. (diskcat -f *.c *.obj *.dll) [FILES]=filetype. Be sure to add a -p path when using multiple -f filetypes type2 type3. Otherwise, you may get incorrect totals.
If the above options are used, the
program builds a matrix of paths and file types. Test all of your permutations before actually
running various permutation formats of the -f and -p options. It searches all the requested directories
for all the requested file types, thus producing a total of all the files in all the paths
requested. These options are added to any default command line provided.
(C:>diskcat c:\work\*.c -f *.dll -p d:\windows
)
--filename=single_file_type Only a single filetype is used in this -- option.
-x + filespec E(x)clude these file types from listing (same format as -f option) (diskat -x thesefiles.txt) [EXCLUDE]=filetype
--exclude=single_file_type_to_exclude Only a single filetype is used in this -- option.
-oO + filename Output file
name: place the output to a filename. If uppercase ‘O’ then any existing
output file is appended to. The special output option -ostdout should be used if you wish
to redirect the output to another file or directly to a printer.
This option (-ostdout) may not work with some other options.
Output file default format contains headers and footers in the output file. Which may cause problems when trying to import
the data to the next step. If you wish to eliminate the headers/footers, you must create an log file using the -1 option
as explained below.
Or if you are mouse reliant, you can redirect output using redirection: 2>
outputfilename (diskcat -o c:\tmp\outputfilename.txt)
INI file syntax:[OUTPUT]=filename
--output=outputfilename Same as above except output is ALWAYS appended to.
-oO + [OUTPUTNAME]YY[YYMMDDhhmmss][=:][OUTPUTNAME][Gg]:
This format allows the output file to be easily be identified as to when it was created. The addition of the YY.... format causes
the output file to be named with current date/time based on the mask used, and a .txt extension is added unless user
includes extention in the mask name. If this format is used, the -a append option is automatic and the -v no verbose is also
automatic.
This option has a number of variations. Read and test profusely. You do know how to do that, don't you.
The basic idea is to create an output filename with the date and time (depending on which YYYYMM.. etc) the program was run. The
user can also add a textual filename either preceeding or after the generated date-time output name. The format for this output
filename creation is convoluted.
If you use (include) the preceeding [NAME] text then the name provided is "prepended" to the date string created. (see below for
the trailing filename format). With specific additions of an actual NAME the output name can be modified to have a leading
textual name.
If the trailing "filename format" (not recommened without extreme testing) is included as part of the output name, you must
use either the "=" or ":" delimeter in the trailing mask or else it is ignored. The minimum is that the YY be the first
item. Then you can add additional modifiers to refine the output name. This option is especially helpful when you are creating
the catalogs with batch scripts run periodically. Then depending on the mask used, the output filename will reference the date
and time of the run. The modifiers are case dependentant, and add the following:
--PNAME: (minus minus - - PNAME) If using the above YY... format, you can also prepend to the output filename the actual name of
the program being run. So that if you use --PNAME when running diskcat, the name DISKCAT will preceed the filename such as:
diskcat -o YYYYMMDDhhmmss=NAME --PNAME yields program name before, and filename after
diskcat_20231111_102025NAME.txt
There are probably other variations of the date inclusion. But I'm tired of adding them.
--UNICODE=unicode_filename: This option opens and creates f file of the name used as unicode_filename. It is independent of the -o options when creating output files. This option causes an additional output file (which is always overwritten, so if it exists, copy the current output to a safe place) to be created with minimal information and is written to a file which has the correct unicode characters representing the filename. It also contains the filesize, dates and times, and if chosen, the MD5 and SHA values. It is pipe (|) delimeted without headers. This output should only be examined using as editor that can properly interpret true little endian 16 bit unicode characters. This option is similar to the --UNICODE=... option found in upcopy and hash programs.
-V: Output records are variable length. With the
full pathname remaining as the 1st item on the line. This guarantees that the full
path is included. Also inserts pipe delimeters by default. Mutually exclusive with
-w(idth) xx option. A -w or a --nameafter option will disengage any -V option.
The -8... options will only work realistically with the -V if you use the -88. Any other
use of an -88xx combination is unwise and output is not guaranteed. So test it.
See also the -M modify filename length to adjust filename to max size needed. (diskcat -V -o outputfilename.txt)
-w + #: Change the default width of the filename from a default of about 50 to any other specific value. If you have long filenames, this may be necessary to accommodate the entire name. With current path lengths, it is often advisable to use about 160 - 250 as a length. If a filename longer than 50 is used, the screen output tends to be more than one line long. (diskcat -w 250)
The -w option also has a unique special modifier of -w0. If a -w0 is used as an
option, then the filename itself is a 50 character first field, and the full
path/filename is moved to the last field. It turns the record into a variable length
record with the fullpath at the end and also adds pipe (|) delimeters.
Any -w option also turns off any -V option. A -w0 option is probably the best if you are
going to import the output to a spreadsheet. As this gets you a filename as the
first field, and a full path as the last field of a delimeted record
[WIDTH=xx], ENVIRONMENT: WIDTH=xx
-M: Prescan the files to determine the maximum filename length needed to show the full filename. Then adjust the output filename length to the full namelength + 10. This option ONLY works if the -o output option is also used. It is suggested that the -d or -V option is used to also include a delimeter.
sample command lines and outputs
diskcat -M -o mandatory_output.txt D:\path1\filename1 123456 20200101 12:34:56 D:\path2\longest_filename 345678 20200101 13:45:56 notice columns all line up to longest filename
diskcat -M -d "|" -o mandatory_output.txt D:\path1\filename1 | 123456 | 20200101 | 12:34:56 D:\path2\longest_filename | 345678 | 20200101 | 13:45:56 notice columns all line up to longest filename and delimeter is added
diskcat -V -d "|" -o mandatory_output.txt D:\path1\filename1 | 123456 | 20200101 | 12:34:56 D:\path2\longest_filename | 345678 | 20200101 | 13:45:56 notice variable width filename with delimeter.-N Show/print ONLY the path/filename. This option ONLY outputs the full path and filename based on the -w xx option. If this option is used, it will NOT display/find/show any alternate data stream information for the file, as all file processing is halted once the full path/name is found and displayed. However, this option is useful if you only need a list of names for further analysis.
If the --NAMEAFTER (see --nameafter option below) is used, this will generally override the -w options, and causes the fullpath to be the last item in the record and is currently set as a fixed value of 50 characters for the fullpathname. There are combinations of -V, -w and --nameafter that make some combinations mutually exclusive. It takes some practice to get the proper mix of -w0 and --NAMEAFTER. When using these varied options, consider using a delimeter to absolutely show where the fields end. So experiment freely. (diskcat -w 50 --NAMEAFTER) [WIDTH]=50
--NAMEAFTER[=nn]: (This is similar to the -w0 option, except it makes the final field fixed at 50 characters). If you want the fullpath name to be moved from the first field to the end of the record, then use this --NAMEAFTER option. It takes the path/filename and makes it the last item on the record instead of first (the filename itself is still left as the first fixed length item). The default length of this fixed item is usually approximately 50 characters. However, if you add the (=nn) value where nn is a number to expand or contract the path, then it is sized accordingly. This option still results in a fixed length output, but the name is still the last item on the record instead of the first. If you want the last field to be truly a variable, and contain the entire full path/name just use the -w0 option.
-a Append output to filename provided in -o option. Serves same purpose as using an upper case O. (diskcat -o outputfilename.txt -a is same as: diskcat -O outputfilename.txt ) [APPEND]=[ON|OFF]
--sequence[=nnnn] Add a "sequence" or record number to the beginning of each record. The width of the field is ALWAYS 6 characters with leading zeros. If the =nnnn is replaced with a numeric value, then the sequencing (record numbering) begins at that value. This will allow the user to start the record numbering at any pre-determined value. The equal = sign must be included. --sequence=1000, will start at 1000. The order of preference in the output record is: sequence no, -I label option, -C comment option.
-C + "comment" Add a "comment" to the beginning of every record. This is very useful when ultimaely merging many outputs from different locations or for different cases. The comment can uniquely identify the sources of the hash values. Example, (-C SUSPECT_CPU#1). The resulting output records would look something like this: "diskcat -o outputfilename.txt -C SUSPECT_CPU#1 "
-C + COMPUTERNAMExx A special version of the -C option. If the literal COMPUTERNAME (all uppercase) is used, then the program will find the name of the computer and insert it there. This is kind of like a wildcard subsitution. The user can let the system decide what to put there. This can then uniquely identify the source computer of the hash values. Example, (-C COMPUTERNAME). The resulting output records would look something like this: "CPU-2_ATLANTA C:\WINNT\....\filename etc.". If the xx is replaced by a numeric value, then the computer name field is made this many characters wide. (-C COMPUTERNAME20) becomes: "CPU-2_ATLANTA C: \WINNT\....\filename etc."
-v; No 'V'erbose. Do not print headers/footers to output file. (ini: Verbose=on)
--NOHEADER: No 'V'erbose. Do not print headers/footers to output file.
-1 + filename (That's a one, not an ell). The filename here is a
file which will contain accounting/log information about the run. It is always appended to,
and contains the command line plus statistics about how many files and time of run. The file
can later be used as a batch file for duplicating the runs.
Using the -1 logfile option removes the headers and footers from the output file allowing it to be easily reprocessed in
the next step.
The ACCT environment variable can also be set. (SET ACCT=logfilename). Or use the .INI option
[ACCT=filename]
The order of priority is: Environment, INI file, Command Line option. To explicity turn it off use a
+1. (diskcat -1 c:\tmp\logfilename.txt)
--memo Causes an interactive dialog with user which allows user to input up to 2000 characters of "memo" information. This information will be appended to the -1 logfile name.
--memo=memofilename Creates/Appends a file called memofilename, and causes an interactive dialog with user which allows user to input up to 2000 characters of "memo" information. Difference is this version DOESN'T add to the -1 logfile.
-S
--NO_ADS --NOADS --NO-ADS
--STREAMS, --STREAMS=[ON|OFF] Do Not list Alternate
Data Streams. (NTFS only). See the operational challenge described at the top of this article. (diskat
--NO_ADS) [STREAM]=[ON|OFF]
--ADSONLY ONLY show those files that contain Alternate Data Stream. (diskcat --ADSONLY)
-u NTFS only. Display owner name of the file.
-U ownername; NTFS only. Display only files with this ownername.
General information:
Because the date tests are so finicky (thats an artifical intelligence term) you should test these options extensiviley
before inplementing them.
When the program calculates the date, or the user enters a date, remember, that the date which is entered IS
included in the calculation. So, if you use -l=1 for less that one day, today is included, so any file with
todays date would be included. If you entered --newer=2022-02-01 then any date more recent than and INCLUDING Feb 01,
2022 itself would be included in the test. Any reference to older, or newer below, also includes older
"than or equal >=" or newer "less than or equal <=".
For either the -l or --newer= options, the last 'w'rite time is defaulted. To match other time items, refer to
below explanations of how to change the default 'w'rite time.
The [mac] (modified, access, create) modifier is always suggested. (the program accepts the 'w' for Modified). However, when using both the --newer= and --older options together, a MAC modifier must be used so that the program can differentiate which MAC segment to test for. Or else the Modified time is defaulted, and the MAC modifier MUST be different for each date, AND the test is done as if it was a logical AND being tested. So something like: --newer=2022-0-101w --older=2021-04-01c would find ALL files that were either written after (newer than) Jan 1, 2022, AND created before (older than) April 1, 2021. The AND test is implied. Again, since this test uses my artificial intelligence, you should test its operation fully.
If you want the two --newer and --older dates, you need to add an a,c,w after the date to tell the program which you want tested, access, create, or modify. And then a logical AND is assumed. This then makes sure that the file dates --newer=2022-01-01c --older=2022-12-31w, will show ONLY files that were created after Jan 1, 2022, AND were last written/modifed before Dec. 31, 2022. It is suggested you test these two above logic tests profusely before relying on the outcome.
When using the format -l=xx days, or the -g=xx days this number of days counter is counted from today. So in effect, 10 days from today, would not equate to 10 days from yesterday. So if you want to count from a specific date YYYY-MM-DD then use this format, not the xx day counter format.
All the formats, -l, --newer, etc, ALL require that an equal (=) sign be used, and no spaces.
Athough a date format of =YYYYMMDD[acw] is acceptable in the latest versions. It is always better to use the YEAR-MONTH-DAY format and put seperators in the date like: =2024-01-01w. This way there is no confusion if the date is 01012019 or 2019-01-01. Don't forget, get testy.
NOTE NOTE NOTE: the 'w'rite time is defaulted for both -l and -g. if you wish other, the 'w' or 'a' modifier is REQUIRED. For instance, last 'a'ccess you need to add it -l=5a else it won't work. Don't confuse the -ta (display access time) for listing only the access time, with -l=5a for date restriction.
SUPER SUPER NOTE with Alternate Data Streams: If the --newer, --older date options are used, and the parents date fits the request, but the alternate data stream does not, the program will list BOTH the parent and alternate data stream. So you may see what you think is an incorrect date hit for the alternate data stream, but take a look at the parent before blowing the whistle. I have chosen to include "bad"/incorrect ADS dates if the parent fits the request, just for informational purposes. Be aware. TEST TEST TEST and get back to me.
For all the date options, the last 'W'rite is defaulted. If you with others, then explicitly include.
-g=#[acw] (greater than or equal). Write is defaulted, else the 'a' or 'c' is required. -g 5a
-g=YYYY-MM-DD[acw] (greater than or equal).
--[older|before]=YYYY-MM-DD 'w'rite time is default. last write
--[older|before]=YYYY-MM-DDw 'w' is default. last write
--[older|before]=YYYY-MM-DDc 'c' is created date
--[older|before]=YYYY-MM-DDa 'a' is last access
Where the # is replaced by a number indicating file age in days: list all files ‘g’reater
than or equal ">=" to # days old.
AND the equal (=) sign REQUIRED when using YYYY-MM-DD format.
You can use a -g=nn -l=xx pair to bracket file ages. (diskcat -g=100 write time greater than 100
days) (default time item used is 'w'rite time. If you wish other time tests, add one of the modifiers [acw] -g=100c
-l=#[acw] (ell, for lessthan or equal, not a one). Last 'W'rite is defaulted , else the 'a' or 'c' is required. -l 3w.
-l=yyyy-mm-dd[acw]
--[newer|younger|after]=YYYY-MM-DD 'w' is defaulted
--[newer|younger|after]=YYYY-MM-DDw 'w' is write time (default)
--[newer|younger|after]=YYYY-MM-DDc 'c' is created date.
--[newer|younger|after]=YYYY-MM-DDa 'a' is last access
Where the # is replaced by a number indicating number of days old. AND the equal (=) sign REQUIRED when using YYYY-MM-DD format.
List all files ‘ l’ess than or equal to # days old. (in other words, the day you list is ALSO
included in the test). You can use a -g=xx, -l=yy pair to bracket file ages. To get ONLY todays files,
use (diskcat -l=1) less than 1 days old, which INCLUDES today. The day count INCLUDES today. So if
today is 2-10-2022 and you put -l=1, you would see todays files.
--newer=2022-01-01c --older=2022-02-01w defaults to logical AND which will find files created after Jan 1, AND last written before Feb 1. Don't forget, the modifiers [acw] have to be different for each date. DAH!
Preferred format, is to use is the minusminus format, --[older|newer]=YYYY-MM-DD[acw], be careful when entering any date ranges.
NOTE: the date format "PREFERS" delimeters if you use the =YYYY-MM-DD format. The preferred YYYY-MM-DD format to be used is =YYYY-MM-DD format with dash delimiters and the equal (=) sign. If you don't use delimiters I use my artificial intelligence to try and figure what you mean, and it may not always be correct. The month first format MM-DD-YYYY is acceptable, but not preferred. Got it??
In any of the above formats, the default date being checked is the 'w' last write
date. If you wish for either the 'c'reate or 'a'ccess date you must add the modifier to the date:ie:
--newer=2020-12-01a or --older=2020-10-01c. The -t[acw] date display option, has no impact on the date test.
Process only those files (g)reater (older) than (or equal) or (l)ess than/newer (or equal) than this yyyy-mm-dd date. The date MUST be in the form yyyy-mm-dd with delimiters. It MUST have two digit month and days (leading 0 if necessary, 01), and it MUST have a 4 digit year (2022 etc.). The date (or days xx) given yyyy-mm-dd is included in the calculation. Ie. --newer=2022-01-10 for any days less than jan 10, 2022, then any file with the date of jan 10, 2022 would be included in the test.
The [acw] literals, choose which time to base the mm-dd-yyyy test on Any or all [acw] can be used. If none used, then default is last 'w'rite.
examples: -l=2020-10-20a --newer=2020-10-20a -g=2020-12-05w -g=2020-10-01c --older=2020-10-01c -l=2020-10-20acw -g=2021-12-05wc
-L + # Where the # is replaced by a number indicating: list all files less than # bytes in size. (diskcat -L 100000) [LESSTHAN]=100000
-G + # Where the # is replaced by a number indicating: list all files greater than # bytes in size. You can use a -GL pair to bracket file sizes. (diskcat -G 10000 -L 100000) [GREATER]=10000
-P
-Pnn
-P=nn Pause after every 20 lines is default. Adjust number of lines using
value nn, (diskcat -P or diskcat -P65 or diskcat -P=65). ini format:PAUSE=[ON|OFF|nn]
--pause[=nn]: Pause every 20 lines default, or adjust to nn lines for larger screens, --pause=65.
-d + delimiter Replace “delimiter” with a
delimiter (typically a pipe ‘ |’ ) within double quotes with which to
delimit fields. If the delimiter is not printable, use its decimal ascii value but don’t
place it it quotes. (diskcat -d “|”)
[DELIMITER]=|, ENVIRONMENT: DELIMITER=|
-D + begin,count (only in versions available after 12/2010) The -D option is used when processing the files for CRC's or MD5 Hashes. If you want to process a segment/section of the file you use the -D #,# to set the starting byte value, and the number of bytes to process. The starting byte number is always counted from 1, not 0. The 2nd part of the option is the acutual number of bytes to process. The comma (,) delimeter between the two values is only required if the 2nd section is used. If the 2nd value (number to process) is left off, then the entire rest of file is processed beginning at the begin value. (Do not include the comma in this case.) sample -D 100,1000 (start at byte 100, and process 1000) or -D 100 (start at byte 100 and process the rest of the file).
MAC TIME PRINT SELECTIONS
This -[Tt][acw3] option determnes which file time(s) are displayed in the output record.
-[Tt][AaCcWw3]
Show the file time as last ‘a’ccessed; last ‘w’ritten; ‘
c’reated; or show all ‘3’. If the AC or W is uppercase, then the
milliseconds is added to the filetime.
No spaces between the -t and the modifier. ( -tc or -TC or -t3 ) Default is the
‘ w’rite, which is identical to what DIR or Explorer displays.
If the T, is upper case (-Tw), then the date, MM/DD/YYYY is reversed to read YYYY/MM/DD. If the
option -T3, is ended with a perdiod (.), (-T3.) Then the item is prefaced with a
single quote ('), ('YYYY/MM/DD), '2013/01/01. This single quote keeps Excel from
interpreting the item as a date, and reversing the item to MM/DD/YYYY. It eliminates the
Excel import step of choosing this field as a text string.
If the ACW of the -TA -TC -TW is upper case. Then the seconds part of the time is
added. IE: 2019-04-20 02:15:39.
If the option -t3 is used, then the seconds and milliseconds is added to the time.
Milliseconds is added in two instances. If the -t3 options is used, or if --MILLI
is added. IE: 2019-04-20 02:15:39:999
Two ways to get milliseconds added to the time. Call for all three times to be showd (-T3)
or add the --MILLI option if you are only asking for a single time to be shows.
Some software (ie: X-ways, and others) export/extract files (usually child objects) and
don't set a date. Windows then responds with a "blank" date, or a date of 0000-00-00. When
attemping to use other software to view these blank dates, it becomes difficult to sort or
even find items with a blank "date" field. In order to fix this, the diskcat program when
it finds a blank date field will display the date of 01-01-1601 which is the Windows XP/7
start/epoch date. When viewing output displays of diskcat with this date, it means that
Windows didn't know or have a date to display, and it is "seeded" here just to have
something to refer to. diskcat -T3 or diskcat -TW --milli or diskcat -t3 or diskcat -T3 --gmt)
.ini options
[TIME]=[A|C|W|3],
[ALLTIMES]=]ON|OFF]
[ZULU=ON]
-z:
--zulu; Display time in ‘
Z’ULU GMT format. The letters GMT will be at the end of the output line indicating such.
Use GMT to get relative references especially when dealing with 2 or more time zones. (diskcat -z or diskcat --zulu))
.ini: [ZULU]=[ON|OFF]
turn off ini zulu with --ZULU=OFF option.
-m Do not show any file dates or times. This significantly reduces the size of the output record. (-m) [MILITARY]=[ON|OFF]
-A[ehrsmdD] Show only files with the following attributes: h=Hidden files, r=Readonly, s=system, d=directories only, m=modified, e=encrypted filesystem (NTFS 2K). The [hrsdm] must be entered immediately after the -A without any spaces. The -A is case sensitive. [HIDDEN|READONLY|SYSTEM|ARCHIVE|DIR_ONLY|ENCRYPTED]=[ON|OFF]. See below -Ad explanation.
-A[dD] The -Ad includes the directories in the listings, while
the -AD shows ONLY directories in the listing. So be aware of which 'dD' is used. See the --DIRECTORY
option also.
The differences between the -d and -D are that if the upper case -D is
used, then ONLY directories are listed in the output. If the lower case -d is used,
then directories are added to the output file and the -r (recurse) option MUST be used.
(This is somewhat different than the way the Mdir program uses the -AD or -Ad options.)
--DIRECTORY: Add directories to the listing. Same as -Ad (lower case d)option above.
-R RESET the last access time to the original time. This reset is attempted after using an option that opens a file for reading. All files except those LOCKED by the operating system are reset. This same effect can be achieved if an environment variable RESET is set. (set RESET=1). INI setting: [RESET=ON], ENVIRONMENT RESET=ON
-r recurse = off.
Turn off recurse. Default is to always recurse tree.
--recurse=[ON|OFF]
turn recurse on or off
--norecurse: Turns off recurse, --recurse=off
[RECURSE=ON|OFF], ENVIRONMENT: RECURSE=ON
-eE “command %” See EXEC -e option description below.
NOTE: the file containing the headers has a filesize limitation of 50000 bytes or 500 LINES (including comments), whichever limit is met. This limitation was imposed because occasionally the header files being provided were corrupted and would cause the program to incorrectly execute. The limitation is designed as a safety factor in case the user provides a file which is not compatible with the program.
The 'H' options, outlined below, can be very confusing, and produce somewhat unexpected results. Please check your logic before putting into production. See the section on headers in the Headers section for some examples and further definitions.
+h + header_filename Compares items in filename with headers of every file on disk. See description of “file headers” below. Shows file extensions of ALL (EVERY) file on the disk as the program believes the file to be based on information in the header file provided. This option produces a list of every file on the disk. Download the sample header file. (Note: this operation alters last access time on files.)
+H + header_filename Compares items in filename with headers of every file on disk. See description of “file headers” below. If the file type matches one of the header types (i.e., is a file of that type) then the program outputs that file's information. This option outputs ONLY those files whose headers match those you supplied in the reference file. Use this option to selectively find specific file types for additional processing. (Note: this operation alters last access time on files.)
-h + header_filename Similar to +h option. The program attempts to determine the file type of each file. It outputs a record for every file, but fills the file type field ONLY if the extension does not match those in the list supplied. All files whose extension match the file type are listed with a blank in this extension field. To find mismatched files, simply look in the extension field for data. (Note: this operation alters last access time on files.)
The header_file should contain as many headers as the user has available. The more headers provided, the better the chance of determining the file type. Contact Mares and Company for file headers. The program can only identify those headers that the user has supplied. So be careful and make your list as accurate as possible. Different header files can be used depending on the type of files searched for.
-H + header_filename This is probably the hardest to understand and design for. The file types are checked against the header file list. ONLY those whose extension is mismatched is output. Use this to select ONLY those mismatched files. This should give the smallest output if the header file is complete and accurate.
-i Use the automatic label numbering procedures, and create/modify the file called DISKLABL. The numbering is designed to start at 1000. If you want it to start at 1001, then initialize the file DISKLABL to 1000.
-I + label The disk_label can be up to 8 characters which will be prepended to the path.
--sequence[=nnn] Number each output record with a unique sequence number. If the =nnnn is used, then the output sequence begins at this number. This is a good way to uniquely number each record for future identification. The sequence number is the first field of the record. It is ALWAYS a 6 character field.
-8, -88, -88nn, -88nnPRE: all adjust added fields uniquely. read carefully
-8: Add two fields to the end of the record. One field is the traditional uppercase 8.3 filename, FILENAME.EXT or LONGFI~1.EXT. The second field is the extension EXT. So that when re-processing the output, you have two distinct fields to work with.
-88: Adds another seperate field to the end of the record after the two mentioned above in the -8 options description. This additional field contains the full filename in a field of approximately 32 characters which should suffice to hold most filenames. The -88 option adds more information to the -8 option. This additional field is a field with the filename which again, can be easily analyzed as a single file for addtional output manipulation. Test and play with them. The -88 option works fine with the -V (variable output) option.
-88xx: The -88 without the xx modifier caused the fullname field to be approximately 32 characters wide. If you need more or less width for this field, use the xx modified. The final full filename field then becomes xx characters wide. Replace the xx with a value. This value will now determine how wide the Long File Name field will now be. Use this to reduce or enlarge the size from 32 to some other value.
-88xxPRE: Add the filename both to the beginning and end of the record. The xx value dictates how many characters will be printed in this filename field. If the xx is too short, the name will be truncated.
A sample look see of the -8 option output. This option produces two new fields, filename and ext. for a file named CYRILLIC_NAMES_w_ads_pk.ext
| CYRILL~1.EXT | EXT
-8820 adds the filename at end of record
It splits the filename into its name and extension, and adds the full name with default width of 32 characters
| CYRILL~1.EXT | EXT | CYRILLIC_NAMES_w_ads_pk.ext
| ADSNAME.TXT | TXT |!ADSNAME.TXT
In some cases where the filename is/contains an alternate data streams, the last column of the filename will have and
exclamation ! point added to the first character of the field to indicate this may be an alternate data stream.
-8820PRE also places filename at beginning of record for easier viewing.
CYRILLIC_NAMES_w_ads_pk.ext | CYRILL~1.EXT | EXT | CYRILLIC_NAMES_w_ads_pk.ext
--driveletter=X: (12/2009) When a remote drive is mapped, the drive letter is often assigned a high drive letter, say H: I: J:, etc. This is the drive letter that shows up in the output file in the pathname field. However, this mounted drive is really the C: or D: drive of another computer. So, in order not to confuse a reviewer as to the drive letter the file actually resides on, the user may force this drive letter designation to any drive letter with this option. Replace the X in the syntax: --driveletter=X with the appropriate correct drive letter, C,D,E, etc., and the output record will properly reflect this correction. Remember, that you have done this.
--ziplog: When a zip file is encountered, check its internal directory/contents and add these records to the output file listing. The zip files are identified by the PK header. Because the files must be opened to read the contents and check to see if they are zip files, the -R (reset) option is always set with this option, and can't be turned off. The directory contents of the zip file are included amongst the normal output records. Since a significant amount of the normal file processing may not be conducted on the contents (zipped files) of the zip file, many of the output fields with this option are left emtpy. For instance, zip file contents do not maintain create or access dates, so those columns are left blank. Hashing, CRC is not done, and header check on the contents are not allowed. (09/2007) [ZIPLOG]
--ziplog=ziplogfilename: Same as --ziplog except that if the =ziplogfilename is added, the contents of the zip files is placed in a seperate ziplogfilename file, and not intermixed with the normal output.(09/2007) [ZIPLOG=ziplogfilename]
-5: Add an MD5 hash field. When the -5 option is used, the -R option is AUTOMATICALLY defaulted to reset the file access time. INI setting is: HASH=ON
--SHA: Add a SHA-1 hash field. Consider adding -R (reset date) option.
-c Create a CRC32 checksum for each file and append at end of the record. Consider adding -R (reset date) option.
----NOCHILD: When using the X-Ways "recover copy" option to extract files. You may inadvertently check the "copy child objects" box. This will add a folder with an unusual character in the folder name, and add within that folder, the child objects of the file. Later you realize that the child objects of the files are not needed. But you can't manually remove thousands of child objects. This option, finds that folder containing the children, and removes it. If you change the X-Ways option in the include child objects to "_childobjects" which will cause the directory to contain the name "_childobjects" this program will find those directories by name, and remove them.
First thing to consider: the command line options take precedence over the INI settings. So a similar but different setting option on the command line would be the one used. IE: if the command line had -TW (for write time), and the INI file had TIME=3 (meaning show all three times), the only one being shown would be the last write time, based on the command line option. That is item one to know about.
INI settings are used in conjunction with command line arguments. The INI settings, like most programs will take effect for the program. However, there are up to four INI files (two diskcat.ini, and two maresware.ini) which can be in two places at once, but only one of the files takes effect, which is very important as to the priority of the execution. Study this priority well and practice.
First off: the INI file located in the directory from which the program is run, will take effect. So if the program is run from say: c: \tmp\diskcat.exe, the the c:\tmp\diskcat.ini contents would be used, if no c:\tmp\diskcat.ini, then c:\tmp\maresware.ini is looked for and executed. Again: If there is no c:\tmp\diskcat.ini in place, then if there was a generic c:\tmp\maresware.ini (which is generic for all maresware programs) then the c:\tmp\maresware.ini would be used. If neither is found, then no INI file is processed.
Now comes the sticky part. Suppose the system path is set to run all the maresware programs from say: c:\generic_system_files and there is a diskcat.ini and a maresware.ini in that location. You have placed all the maresware.exe programs also in that folder, and it is pathed in the environment. set path=%path%;c:\generic_system_files;Following is a sample diskcat.ini file with most, if not all, the approprate keywords that diskcat will recognize.
The only difference between a specific program.ini (ie: diskcat.ini) and the generic maresware.ini is that in the maresware.ini each
program has its own section identified by [square brackets] beginning the program ini options. So a generic maresware.ini might have two
sections, one for diskcat and one for hash as seen here
[DISKCAT]
TIME=3
MILLI=ON
WIDTH=100
[HASH]
WIDTH=200
TIME=W
RESTORE=ON
[UPCOPY]
RESTORE=ON
Notice how the program sections were seperated/identified by the program name in [BRACKETS]
The INI settings that can only be set from the ini file are:
CATEGOREY=ON ; This installs the category column from the header file
SPLIT=xxx ;Set output file record counts to
xxx maximum records per file. (ie: SPLIT=30000) Use this when intending to import the output to a spreadsheet with a maximum record
limit.
HASH=ON ; Turns md5 hashing on for
each file. MD5 value is placed before time fields.
The file is shown as all comments, so you can cut and paste from here.
CATEGORY=ON
;CATEGORY is only available in the .ini file.
SPLIT=xxx
;SPLIT is only available in the .ini file.
HASH=ON ;Turn on md5 hashing
RECURSE=OFF
files=*.exe
paths=d:\work
output=d:\tmp\junk
older=15
younger=180
lessthan=10000
greater=1000
width=45
delimeter=|
// military=on
time=[wac]
time=3
MILLI
alltimes=ON
zulu=ON
stream=OFF
archive=ON
readonly=on
hidden=ON
system=ON
DIR_ONLY=on
directory=on
CRC=on
FIXED=ON
label=labelname
OWNER=ON
SORT=s
verbose=[on|off] (turns on the -v option)
ziplog
ziplog=ziplogfile.txt
File Headers
The [[+-][[hH] + filename] option allows you to provide, in an external text file, a list of standard extensions of files (exs., exe, wp, dbf, gif, etc) and the string of characters that should be found in the header of the target file--if, in fact, that target file is of the type referenced by the extension.
For instance: a program .exe file should have as its first two characters in the file an MZ; a pkzipped file should have a PK as part of the file header.
Setting up the reference.fle
The text file containing the reference extensions and headers will
be referred to here as "reference.fle." This file should be set up in
the following manner:
One line for each file type indicated, and it is case
dependent.
The reference.fle should be created with an ascii text editor. No word processor formats are recognized. AFTER THE LAST LINE, AT LEAST ONE BLANK LINE SHOULD BE ENTERED. Maximum of 100 lines/file types to test for.
The lines consist of 3 or 4 parts. Each must be in the correct format and location for the program to work.
part 1: the category you wish to place this header in. ie: it could be DOCUMENT, PROGRAM, GRAPHIC, SPREADSHEET, or any category word you wish. This is strictly user defined. This text will be placed in the output record, if the CATEGORY=ON trigger is included in a diskcat.ini file.
part 1A: a comma , follows each part.
part 2: The "TRUE" expected extension you expect to see on the file (ex., exe wp gif). No leading period is allowed.
Part 2A: (optional section) a colon (:) followed by a number. (SEE NOTE BELOW).
part 3: a comma (,). This will separate part 2 from part 3.
part 4: header string.
If the first character of the line is a # (pound sign) or a ; (semi colon) this line is completely ignored and is considered a comment.
#exe,MZ This is a comment line.
NOTE: If the expected header signature (ex., Pklite) is located at some position other than the 1st position of the file, then add a colon (:) followed by the byte location (displacement) into the file where the header signature is expected to be found. An example for a 16 bit self extracting PKZIP file would be (zip:66). The same self extracting zip file created under WINZIP32 commercial version would be (zip:136)
COMPRESSED,ZIP:136,XD39128360000000000000000E0000E010B01041400
This is the signature for that WINZIP32 bit self extracting executable.
The header string consists of the string of characters that should be looked for to determine if the file in question is the type of file referenced in part 1. Since this string is taken as a literal, it should not have any spaces anywhere within it except those spaces that should be considered as an actual part of the file header.
If you wish, this header string can be a hex value. In this case it must begin with an ‘X’, and the hex values must be each 2 characters wide. Use this if you cannot easily input the values with an ascii editor. Ascii header strings, and hex headers strings can be used on different lines in the same file.
Below is a sample header file. Notice that the first line is in a different format (as described above).
Sample reference file:
COMPRESSED,ZIP:136,XD39128360000000000000000E0000E010B01041400
zip,X504B
PROGRAM,exe,X4D5A
ENCRYPTION,pgp,X84
PROGRAM,com,XE8
PROGRAM,bat,@echo
PROGRAM,bat,set
PROGRAM,bat,SET
GRAPHIC,gif,X47494638
GRAPHIC,jpg,XFFD8FFE0
GRAPHIC,pcx,X0A050101
Notice that the compressed zip header (1st line) was placed before the exe header. This is because, had the exe header come first, the program would have indicated an exe file and would have never gotten to the self extracting zip header. And that the category for that file was compressed, rather than program. This is so in the output, it will be evident that it is a zip file, not a true executable.
Because the header list is checked in the order it is found in the header file, you should place the most restrictive file types first in the header file. An EXE file should have an MZ as its header. Let's take a case where another type of file had a header of MZH. If the EXE,MZ line came first in the header file, then the MZH file would produce an incorrect output. So put the MZH line first in the header file. This becomes important with files containing possible database headers like DB or DBASE.
If it is not a correct extension, the program prints as the 1st three characters of the output the reference extension found in the reference.fle thus indicating what the extension SHOULD have been.
Here is an output without using any of the header options. It just shows what files are there. The .uni files are true microsoft unicode files. All others are true as shown, execept the .exz file is really a misnamed executable.
D:\TMP\junk.uni 2000 ..R..
D:\TMP\lesson.uni 30 ..R..
D:\TMP\COKE_ALL.jpg 20130 A....
D:\TMP\COKE_2.jpg 15203 A....
D:\TMP\CLEANUP.BAT 98 A....
D:\TMP\DISKCAT.EXE 135368 A....
D:\TMP\HEADERS.HEX 128 A....
D:\TMP\OUTPUT 0 A....
D:\TMP\diskcat.exz 135368 A....
SAMPLE OUTPUTS for reference file above:
(1)Same output using this command line: diskcat -h headers.hex (list EVERY file, but only SHOW true headers of those with mismatched names). Notice the .uni and .hex extensions are unknown extensions as listed in the reference header file.
D:\TMP\junk.uni 2000 ..R.. UNK
D:\TMP\lesson.uni 30 ..R.. UNK
D:\TMP\COKE_ALL.jpg 20130 A....
D:\TMP\COKE_2.jpg 15203 A....
D:\TMP\CLEANUP.BAT 98 A....
D:\TMP\DISKCAT.EXE 135368 A....
D:\TMP\HEADERS.HEX 128 A.... UNK
D:\TMP\diskcat.exz 135368 A.... exe
(2)Same run but with the command line: diskcat-H headers.hex (ONLY MISmatches are output.) This run is based solely on the list in the header reference file. So, since the .uni and .hex files are not even listed as a valid header, they are not checked. However, the exe header is listed in the reference file, and a misnamed file was found, so it was listed.
D:\TMP\diskcat.exz 135368 A.... exe 24F9-7921
(3)Same run with the +h headers.hex. Show extensions of EVERY file. If the header is not listed, it is displayed as an UNK(nown) This would probably be the default run for any catalog list. Then sort on the field containing the type of file so you have a neat list sorted in file type.
D:\TMP\junk.uni 2000 ..R.. ASC
D:\TMP\lesson.uni 30 ..R.. UNK
D:\TMP\COKE_ALL.jpg 20130 A.... jpg
D:\TMP\COKE_2.jpg 15203 A.... jpg
D:\TMP\CLEANUP.BAT 98 A.... bat
D:\TMP\DISKCAT.EXE 135368 A.... exe
D:\TMP\HEADERS.HEX 128 A.... ASC
D:\TMP\diskcat.exz 135368 A.... exe
(4)Same run using the final +H option: Diskcat +H headers.hex ( ONLY show those files whose header is matched in the list.). This option is good to identify specific file types on the drive. You might have a header list of only graphic headers, so the list will only show graphic files. Notice that only those type files where there was a known signature in the header file were output. NONE of the UNKnown types were listed.
D:\TMP\COKE_ALL.jpg 20130 A.... jpg
D:\TMP\COKE_2.jpg 15203 A.... jpg
D:\TMP\CLEANUP.BAT 98 A.... bat
D:\TMP\DISKCAT.EXE 135368 A.... exe
D:\TMP\diskcat.exz 135368 A.... exe
***
ALL -hH options alter last access time. ***
IF the CATEGORY=ON is found in the diskcat.ini file, then the additional category field is included.
D:\TMP\junk.uni 2000 ..R.. ASC TEXTTop
D:\TMP\lesson.uni 30 ..R.. UNK UNKNOWN
D:\TMP\COKE_ALL.jpg 20130 A.... jpg GRAPHIC
D:\TMP\COKE_2.jpg 15203 A.... jpg GRAPHIC
D:\TMP\CLEANUP.BAT 98 A.... bat PROGRAM
D:\TMP\DISKCAT.EXE 135368 A.... exe PROGRAM
D:\TMP\HEADERS.HEX 128 A.... ASC TEXT
D:\TMP\diskcat.exz 135368 A.... exe PROGRAM
The exec enhancement uses a command line option to execute either a DOS internal command (exs., copy, del, dir) or a program. The term 'command' will be used in the following discussion to mean both program and DOS command.
The -e or exec option is most effective when used in conjunction with options that can identify certain selected files to perform the command on. It works in a similar fashion to the -f option. As described above, the -f option locates, on the disk, those files which meet certain filename criteria (ex., *.bat).
When a file is located (under whatever option is ultimately used) the filename is passed to the command requested by the exec option. An example would be to use the type command to look at all the *.bat files on the entire disk. Or to do a dir on all the directories located in a specific path or a dir on all the files over a certain number of days old.
The format of the exec option is as follows:
-e “command %”
The -e (e)xec option is used to execute “command” on the file(s) ‘%’ found").
The actual syntax is:
-e “command [arguments] % [arguments]”
Where:
the -e is the actual option. If a lower case -e is used, then the entire filename including path is substituted for the %. If an uppercase -E is used, then only the filename is substituted for the %. The quotes around the rest of the option syntax are mandatory. This is so DOS will hold the entire item and pass it as one string to the program.
command is actually replaced by the command you wish to run.
the arguments: are any additional filenames or options needed for the command chosen, and the % is positionally placed at the location where you want the program to place the name of the file it finds. The % is positionally sensitive and should be placed in the exact location where the selected file would have been placed in the chosen command.
For example: A command to do ‘dir’ on all ‘.bat’ files in ‘c:\sample’ path would look like this:
diskcat -f *.bat -p c:\sample -e “dir %”
Notice the retention of the quotes(“).
For example: A command to zip and add to a output.zip file all *.bat and maintain their appropriate path would be:
diskcat -f *.bat -e “pkzip -ap output.zip %”
NOTE: If the command used is NOT a DOS internal command and is instead a program the program SHOULD be a .exe executable and reside on a subst drive letter of x: This is because Diskcat normally ONLY looks on drive x: for .exe programs to run. If it cannot find the program there, it assumes it is a DOS internal and attempts to run a DOS internal. In some instances it will run programs located in the DOS path. If you are attempting to run one of these, try it first to see if it will operate correctly. You might also try entering the program name as complete path and name with proper extension (.com .bat). This may provide more reliable results if you completely path the program name. (ie.: diskcat -f *.bat -e “d:\work\run.bat %”)
SPECIAL ZIP CAPABILITY
This section deals with a special implementation of the -e execute command when you have zip files located in directories, and wish to extract ALL the files located in the zip files in the correct locations. The zip files could have been placed there by the upcopy command, or FTK, or any other program to move zip files to a specific location.
The user MUST have access to a command line version of pkzip. The current version I have identified as pkzip32, indicating it is a full 32 bit long file name version.
The additional commands to add to the -e command is an upper case P directly after the -e, indicating that a PATH is to be inserted somewhere in the command line. This is needed for PKZIP to know where to run the command from.
After the -eP, you use a similar syntax to the basic -e option,except you add a cd command, for change directory. And you put a placeholder -PATH in the command line where you want the program to insert the path to use. This is sort of a wildcard replacement.
The last item, is to provide the correct command line syntax for the OS to change to the -PATH directory, && (and) execute the pkzip program. The full command is below, and the syntax should be followed exactly. You can modify the specific pkzip options, but those listed should extract all contents, in appropriate folders.
This is the command line:
C:>diskcat -f *.zip -eP "cd -PATH && pkzip32 -extract
-directories -recurse % -overwrite"
The -eP says we are going to use a path to change to
The cd -PATH is the trigger to tell the program to perform that cd
operation
The % is the usual replacement of the filename, which will be a zip
filename.
NOTE: all paths for the -p (path), -[Oo] outputfile, -1 logfile, options are capable of taking full or relative paths.
diskcat /*lists all files on default drive to screen. default outputs write time*/
D:\SAMPLE_DATA.htm 12454 A...... 02/16/2019 16:21:36w EST
D:\seadate.htm 3269 A...... 02/19/2019 15:07:35w EST
D:\search.htm 67045 A...... 02/19/2019 15:06:30w EST
D:\sha_v.htm 43797 A...... 02/19/2019 15:07:35w EST
D:\sha_verify.htm 13206 A...... 02/19/2019 15:07:35w EST
D:\sortchek.htm 2715 A...... 02/19/2019 15:06:30w EST
diskcat -?
/* obtain help screen */
diskcat -o outputfile
diskcat -o c:\temp\more_paths\outputfile
diskcat -o ..\relative_path_dah\outputfile
/*lists all files to output file called outputfile */
diskcat -a -o outputfile
/*append output to existing output file */
diskcat -O outputfile
/*append output to existing output file */
diskcat -O outputfile -w0
/*add a variable full path to the end of the record, and filename at beginning*/
diskcat -O YYYYMMDD:filename.txt
/* cause output file to be named with current year day, and filename.txt as a name */
diskcat -O outputfile --nameafter
/*move the path/filename field to the end of the record. This will be inserted before any -w0
paths. */
diskcat -p d:\work\
/* start search at this directory */
diskcat -p d:\work -v -o outputfile.txt
diskcat -p work -v -o outputfile.txt
diskcat -p ..\work -v -o outputfile.txt
/* start search at this directory, create output named outputfile.txt without (-v)erbose header/footer */
diskcat -o output -p c:\ -I 1001
/* create a label of 1001 and place the output to output */
diskcat -O output -p c:\ -I 1001
/* this will append */
diskcat -i -p c:\ -O d:junk
/* create automatic label of an NNNN format. usually starting with 1001. with append output */
1001 D:\WORK\log_COPIED.LOG 3244 A...... 03/22/2023 06:23w EST
1001 D:\WORK\release.log 665 A...... 07/20/2022 10:34w EST
diskcat -p c: +h headers.hex
/* check drive a:, and compare headers in headers.hex */
diskcat -p c: -Tc
/* display create time in YYYY/MM/DD HH:MM format*/
diskcat -p c: -TC
/* display create time in YYYY/MM/DD HH:MM:SS include seconds format*/
diskcat -p c: -T3
/* display all three times with milliseconds in YYYY/MM/DD HH:MM:SS:MMM */
diskcat -p c:\work --levels=2 -AD
/* Catalog ONLY directories within the c:\work directory, and recurse only two levels down from
the starting location c:\work. So c:\work\one\two will list, but c:
\work\one\two\three will not list.*/
diskcat -p \\UNC_NAME\DR\DIR -f *.*
/* UNC drives can also be targeted with the above UNC format. */
Sample command and output
command line: C:>diskcat \\OFFICE\Z\WORK\UNICODE\BASE -f *.c \\OFFICE\Z\WORK\UNICODE\BASE\OLD_C\access_date.c 4891 A...... 06/10/2019 14:08:04:210c \\OFFICE\Z\WORK\UNICODE\BASE\OLD_C\ADS_BASE.C 15441 A...... 09/23/2002 18:16:21:040cSample command lines with outputs
Now for the fun stuff
C:>diskcat -s 0000 -d "|" ;add a sequence number to each record. delimie with pipe | SEQ #| PATH | SIZE| MDATE | MTIME | TZ| 000000|H:\HEX00.TXT | 50|01/01/2019|07:34:56:789w|EST| 000001|H:\HEX01.TXT | 50|01/01/2019|07:34:56:789w|EST| 000002|H:\HEX02.TXT | 50|01/01/2019|07:34:56:789w|EST| 000003|H:\HEX03.TXT | 50|01/01/2019|07:34:56:789w|EST|Delimieter -d "|" is always on the command line, not shown in these examples for clarity
C:>diskcat -s 0000 -C TIMS_DRIVE ;add a sequence number, and comment "TIMS_DRIVE" to each record. delimie with pipe | SEQ #| COMMENT | PATH | SIZE| MDATE | MTIME | TZ| 000000|TIMS_DRIVE|H:\HEX00.TXT | 50|01/01/2019|07:34:56:789w|EST| 000001|TIMS_DRIVE|H:\HEX01.TXT | 50|01/01/2019|07:34:56:789w|EST| 000002|TIMS_DRIVE|H:\HEX02.TXT | 50|01/01/2019|07:34:56:789w|EST| 000003|TIMS_DRIVE|H:\HEX03.TXT | 50|01/01/2019|07:34:56:789w|EST| C:> diskcat -C COMPUTERNAME ; if -C COMPUTERNAME is used, then computer's name is found and used SEQ #| COMMENT | PATH | SIZE| MDATE | MTIME | TZ| 000000|LAUNDRY |H:\HEX00.TXT | 50|01/01/2019|07:34:56:789w|EST| 000001|LAUNDRY |H:\HEX01.TXT | 50|01/01/2019|07:34:56:789w|EST| 000002|LAUNDRY |H:\HEX02.TXT | 50|01/01/2019|07:34:56:789w|EST| 000003|LAUNDRY |H:\HEX03.TXT | 50|01/01/2019|07:34:56:789w|EST| C:> diskcat -8820E ; add 8.3 filename, with extension field and full name 20 characters wide, fields shortened for legibitily PATH | SIZE | MDATE | MTIME | TZ| 8.3 NAME |EXT | FullName | D:\WORK\...\check.c | 14525|01/06/2022|13:57:23:740w|EST| CHECK.C | C | check.c | D:\WORK\...\diskcat_orig.c | 154242|12/31/2021|15:41:42:463w|EST| DISKCA~1.C | C | diskcat_orig.c | D:\WORK\...\Ads_dcat_u.c | 16331|01/20/2020|06:37:33:032w|EST| ADS_DC~1.C | C | Ads_dcat_u.c | D:\WORK\...\check.c | 14525|01/20/2020|06:37:33:032w|EST| CHECK.C | C | check.c |
Putting a number of options together we get the following output record, easily imported for additional analysis:
-f *.c find all .c files
-d "|" pipe delimit
-O junk append any output to file named junk
--sequence=20000 label each record with unique number starting at 20000
-C MY_COMPUTER add a comment column indicating which suspect the computer belongs to
-T3 add three file times, in the YYYYMMDD format for easy sorting.
-8820E add the 8.3 filename with ext field, and 20 character full name field for easy filename sorting and identification
C:> diskcat.exe -f *.c -d "|" -O junk --sequence=20000 -C MY_COMPUTER -T3 -8820E
Here is the output, shortened for legibiility:
Notice also two additional fields are in the output by default, the DISK serial number, and the DISK LABEL
The serial number is hard coded into the disk, while the LAbel is what user gave it when formatted.
The information helps identify each unique disk that the record comes from.
SEQ #| COMMENT | PATH | SIZE| CDATE | CTIME | MDATE | MTIME | ADATE | ATIME | TZ| SERIAL #| LABEL | 8.3 NAME | EXT| FULL FILENAME 020000|MY_COMPUTER|D:\...\check.c | 14525|2022/01/06|13:57:23:740c|2022/01/06|13:57:23:740w|2022/03/24|11:52:39:295a|EST| ACAF-B078| D_DRIVE| CHECK.C | C | check.c 020001|MY_COMPUTER|D:\...\diskcat.c | 154242|2021/12/31|15:41:42:463c|2021/12/31|15:41:42:463w|2022/03/24|11:52:39:311a|EST| ACAF-B078| D_DRIVE| DISKCA~1.C | C | diskcat_orig.c 020002|MY_COMPUTER|D:\...\Ads_dcat.c| 16331|2020/01/20|06:37:33:032c|2020/01/20|06:37:33:032w|2022/03/24|11:52:39:358a|EST| ACAF-B078| D_DRIVE| ADS_DC~1.C | C | Ads_dcat_u.c
rem replace the -p . with a more useful folder for better output rem find a directory with a random number of files and run this batch rem it will NOT list any .txt files. alter as needed @echo off rem setting a default logfile name for diskcat set ACCT=DISKCAT.LOG diskcat -p . -o showlong_gt255.txt -x *.txt --showlong diskcat -p . -o file_type_txt.txt -x *.txt -f *.txt diskcat -p . -o path_width_300.txt -x *.txt -w 300 diskcat -p . -o YYYYMMDD.txt -x *.txt -w 160 diskcat -p . -o exclude_txt.txt -x *.txt -w 160 diskcat -p . -o bigger_10k.txt -x *.txt -w 160 -G 10000 diskcat -p . -o smaller_10k.txt -x *.txt -w 160 -L 10000 diskcat -p . -o older_100.txt -x *.txt -w 160 -g 100 -T3 diskcat -p . -o newer_100.txt -x *.txt -w 160 -l 100 -T3 diskcat -p . -o three_times_GMT.txt -x *.txt -w 160 -T3 --GMT diskcat -p . -o delimited_pipe.txt -x *.txt -w 160 -T3 -d "|" diskcat -p . -o hash.txt -x *.txt -w 160 -T3 -d "|" -8832E -5 diskcat -p . -o extension1.txt -x *.txt -w 160 -T3 -d "|" -8832E diskcat -p . -o variable_width.txt -x *.txt -V -T3 -d "|" -8832E diskcat -p . -o comment.txt -x *.txt -T3 -d "|" -8832E -C comment_added diskcat -p . -o directories_only.txt -x *.txt -w 300 -T3 -d "|" -AD rem removing the default ACCT filename set ACCT=
Often it becomes necessary to find out how many files of
XXX extension there are. People want to know how many docs, xls, etc.
If you have the complete Maresware suite and an external program called
otsort you may be able to use this script. With some small modications.
The process is to create a diskcat output with the extension field seperate.
Then sort on the extension field.
Then total/count the number of occurances for each extension grouping.
GET diskcat.exe THIS IS A COMMAND LINE PROGRAM
send me an email, dm@dmares.com, or call: 678-427-3275 (leave a message) for this script.