|
|
| (One intermediate revision by one user not shown) |
| Line 1: |
Line 1: |
| − | Version 2.09 Man Page
| + | Back to [[Help Documents]] |
| | | | |
| − | NAME
| + | ils lists details about a range of meta data structures in a file system. Its output is in a delimited format that can be further processed. |
| − | ils - list inode information
| + | |
| | | | |
| − | SYNOPSIS
| + | * [http://www.sleuthkit.org/sleuthkit/man/ils.html Automatically Updated man Page] |
| − | ils [-emOpvV] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset]
| + | |
| − | image [images] [start-stop]
| + | |
| − | | + | |
| − | ils [-aAlLvVzZ] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset]
| + | |
| − | image [images] [start-stop]
| + | |
| − | | + | |
| − | DESCRIPTION
| + | |
| − | ils opens the named image(s) and lists inode information. By default,
| + | |
| − | ils lists only the inodes of removed files.
| + | |
| − | | + | |
| − | Arguments:
| + | |
| − | | + | |
| − | -e List every inode in the file system.
| + | |
| − | | + | |
| − | -f fstype
| + | |
| − | Specifies the file system type. Use the -? argument to display
| + | |
| − | all supported types. If not given, the default type for the
| + | |
| − | platform is used.
| + | |
| − | | + | |
| − | -s seconds
| + | |
| − | The time skew of the original system in seconds. For example,
| + | |
| − | if the original system was 100 seconds slow, this value would be
| + | |
| − | -100.
| + | |
| − | | + | |
| − | -m Display the inode details in the format that the mactime program
| + | |
| − | reads (replaces the ils2mac script from TCT)
| + | |
| − | | + | |
| − | -O List only inodes of removed files that are still open or execut-
| + | |
| − | ing. This option is short-hand notation for -aL "(see the fine
| + | |
| − | controls section below). (this used to be -o).
| + | |
| − | | + | |
| − | -p Display orphan inodes (unallocated with no file name)
| + | |
| − | | + | |
| − | -r (default) List only inodes of removed files. This option is
| + | |
| − | short-hand notation for -LZ (see the fine controls section
| + | |
| − | below).
| + | |
| − | | + | |
| − | -i imgtype
| + | |
| − | Identify the type of image file, such as raw or split. Raw is
| + | |
| − | the default.
| + | |
| − | | + | |
| − | -o imgoffset
| + | |
| − | The sector offset where the file system starts in the image.
| + | |
| − | Non-512 byte sectors can be specified using ’@’ (32@2048).
| + | |
| − | | + | |
| − | -v Turn on verbose mode, output to stderr.
| + | |
| − | | + | |
| − | -V Display Version.
| + | |
| − | | + | |
| − | image [images]
| + | |
| − | One (or more if split) disk or partition images whose format is
| + | |
| − | given with ’-i’.
| + | |
| − | | + | |
| − | start-stop
| + | |
| − | Examine the specified inode number or number range.
| + | |
| − | | + | |
| − | Fine controls:
| + | |
| − | | + | |
| − | -a List only allocated inodes: these belong to files with at least
| + | |
| − | one directory entry in the file system, and to removed files
| + | |
| − | that are still open or executing.
| + | |
| − | | + | |
| − | -A List only unallocated inodes: these belong to files that no
| + | |
| − | longer exist.
| + | |
| − | | + | |
| − | -l List only inodes with at least one hard link. These belong to
| + | |
| − | files with at least one directory entry in the file system.
| + | |
| − | | + | |
| − | -L List only inodes without any hard links. These belong to files
| + | |
| − | that no longer exist, and to removed files that are still open
| + | |
| − | or executing.
| + | |
| − | | + | |
| − | -z List only inodes with zero status change time. Presumably, these
| + | |
| − | inodes were never used.
| + | |
| − | | + | |
| − | -Z List only inodes with non-zero status change time. Presumably,
| + | |
| − | these belong to files that still exist, or that existed in the
| + | |
| − | past.
| + | |
| − | | + | |
| − | The output format is in time machine format, as described in tm-for-
| + | |
| − | mat(5). The output begins with a two-line header that describes the
| + | |
| − | data origin, and is followed by a one-line header that lists the names
| + | |
| − | of the data attributes that make up the remainder of the output:
| + | |
| − | | + | |
| − | st_ino The inode number.
| + | |
| − | | + | |
| − | st_alloc
| + | |
| − | Allocation status: ‘a’ for allocated inode, ‘f’ for free inode.
| + | |
| − | | + | |
| − | st_uid Owner user ID.
| + | |
| − | | + | |
| − | st_gid Owner group ID.
| + | |
| − | | + | |
| − | st_mtime
| + | |
| − | UNIX time (seconds) of last file modification.
| + | |
| − | | + | |
| − | st_atime
| + | |
| − | UNIX time (seconds) of last file access.
| + | |
| − | | + | |
| − | st_ctime
| + | |
| − | UNIX time (seconds) of last inode status change.
| + | |
| − | | + | |
| − | st_dtime
| + | |
| − | UNIX time (seconds) of file deletion (LINUX only).
| + | |
| − | | + | |
| − | st_mode
| + | |
| − | File type and permissions (octal).
| + | |
| − | | + | |
| − | st_nlink
| + | |
| − | Number of hard links.
| + | |
| − | | + | |
| − | st_size
| + | |
| − | File size in bytes.
| + | |
| − | | + | |
| − | st_block0,st_block1
| + | |
| − | The first two entries in the direct block address list.
| + | |
| − | | + | |
| − | SEE ALSO
| + | |
| − | mactime(1), mtime, atime, ctime reporter
| + | |
| − | tm-format(5), time machine data format
| + | |
| − | | + | |
| − | LICENSE
| + | |
| − | This software is distributed under the IBM Public License.
| + | |
| − | | + | |
| − | HISTORY
| + | |
| − | First appeared in The Coroners Toolkit (TCT) 1.0.
| + | |
| − | | + | |
| − | AUTHOR(S)
| + | |
| − | Wietse Venema
| + | |
| − | IBM T.J. Watson Research
| + | |
| − | P.O. Box 704
| + | |
| − | Yorktown Heights, NY 10598, USA
| + | |
