device_file

Similar to the file table, but use TSK and allow block address access.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: device_file

  • Linux
  • Mac OSX

Table schema

Name Type Description
device TEXT Absolute file path to device node
partition TEXT A partition number
path TEXT A logical path within the device node
filename TEXT Name portion of file path
inode BIGINT Filesystem inode number
uid BIGINT Owning user ID
gid BIGINT Owning group ID
mode TEXT Permission bits
size BIGINT Size of file in bytes
block_size INTEGER Block size of filesystem
atime BIGINT Last access time
mtime BIGINT Last modification time
ctime BIGINT Creation time
hard_links INTEGER Number of hard links
type TEXT File status

Query examples

Select all the results for the given table.

SELECT * FROM device_file;