Difference between revisions of "Ffind"

From SleuthKitWiki
Jump to: navigation, search
(New page: Version 2.09 Man Page NAME ffind - Find the file or directory name that is using a given inode SYNOPSIS ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode ...)
 
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Version 2.09 Man Page
+
Back to [[Help Documents]]
  
NAME
 
      ffind - Find the file or directory name that is using a given inode
 
  
SYNOPSIS
+
ffind is used to map meta data structures to file names.  It takes a meta data structure as input and searches for the corresponding file name that points to it.
      ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode
+
  
DESCRIPTION
+
* [http://www.sleuthkit.org/sleuthkit/man/ffind.html Automatically Updated man Page]
      ffind  finds the names of files or directories that use inode on image.
+
      By default it only will only return the name it finds.  This will  also
+
      show  the names of deleted file names in some systems such as Linux and
+
      OpenBSD.
+
 
+
      The arguments are as follows:
+
 
+
      image [images]
+
              One (or more if split) disk or partition images whose format  is
+
              given with ’-i’.
+
 
+
      inode  Integer of inode to find.
+
 
+
              The optional arguments are:
+
 
+
      -a    Find all occurrences of inode.
+
 
+
      -d    Find deleted entries only.
+
 
+
      -f fstype
+
              Identify the File System type of the image.  Use the -? argument
+
              for a list of supported file system types.  If  not  given,  the
+
              default type for the platform is used.
+
 
+
      -u    Find undeleted entries only.
+
 
+
      -i imgtype
+
              Identify  the  type of image file, such as raw or split.  Raw is
+
              the default.
+
 
+
      -o imgoffset
+
              The sector offset where the file system  starts  in  the  image.
+
              Non-512 byte sectors can be specified using ’@’ (32@2048).
+
 
+
      -v    Verbose output to stderr.
+
 
+
      -V    Display version.
+
 
+
      This  program  searches  all  directory  entries  looking for the given
+
      inode.  This is useful when an inode has been identified  from  a  disk
+
      unit address using find_inode(1).
+
 
+
EXAMPLE
+
      # ffind -a image 212
+
 
+
SEE ALSO
+
      dd(1), ifind(1)
+
 
+
HISTORY
+
      ffind first appeared in TCTUTILs v1.0 as find_file.
+
 
+
AUTHOR
+
      Brian Carrier <carrier@sleuthkit.org>
+

Latest revision as of 18:15, 11 September 2008

Back to Help Documents


ffind is used to map meta data structures to file names. It takes a meta data structure as input and searches for the corresponding file name that points to it.

Retrieved from "http://wiki.sleuthkit.org/index.php?title=Ffind&oldid=185"