Fls

Version 2.09 Man Page

NAME

      fls - List file and directory names in a forensic image

SYNOPSIS

      fls  [-adDFlpruvV]  [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i
      imgtype ] [-o imgoffset ] image [images] [ inode ]

DESCRIPTION

      fls lists the files and directory names in the image  and  can  display
      file  names of recently deleted files for the directory using the given
      inode.  If the inode argument is not given, 2 is used.

      The arguments are as follows:

      -a     Display the "." and ".." directory entries (by default  it  does
             not)

      -d     Display deleted entries only

      -D     Display directory entries only

      -f fstype
             The type of File System.  Use the -? argument for a list of sup-
             ported types.  If not given, the default type for  the  platform
             is used.

      -F     Display file (all non-directory) entries only.

      -l     Display file details in long format.  The following contents are
             displayed:

             file_type inode file_name mod_time acc_time  cre_time  size  uid
             gid

      -m mnt Display  files in time machine format.  The output can be merged
             with the body file from grave-robber(1)  before  mactime(1)   is
             run.   The files will be printed as though the image was mounted
             at mnt (for example /usr).

      -p     Display the full path for each entry.  By default it denotes the
             directory depth on recursive runs with a ’+’ sign.

      -r     Recursively  display  directories.  This will not follow deleted
             directories, because it can’t.

      -s seconds
             The time skew of the original system in seconds.   For  example,
             if the original system was 100 seconds slow, this value would be
             -100.  This is only used if -l or -m are given.

      -i imgtype
             Identify the type of image file, such as raw or split.   Raw  is
             the default.

      -o imgoffset
             The  sector  offset  where  the file system starts in the image.
             Non-512 byte sectors can be specified using ’@’ (32@2048).

      -u     Display undeleted entries only

      -v     Verbose output to stderr.

      -V     Display version.

      -z zone
             The ASCII string of the time zone of the original  system.   For
             example,  EST  or  GMT.   These  strings must be defined by your
             operating system and may vary.

      image [images]
             One (or more if split) disk or partition images whose format  is
             given with ’-i’.

      Once  the  inode  has  been determined, the file can be recovered using
      icat(1) from The Coroners Toolkit.  The amount of information recovered
      from deleted file entries varies depending on the system.  For example,
      on Linux, a recently deleted file can be  easily  recovered,  while  in
      Solaris not even the inode can be determined.  If you just want to find
      what file name belongs to an inode, it is easier to use find_name(1).

EXAMPLES

      To get a list of all files and directories in an image use:

           # fls -r image 2

           or just:

           # fls -r image

      To get the full path of deleted files in a given directory:

           # fls -d -p image 29

      To get the mactime output do:

           # fls -m /usr/local image 2

      If you have a disk image and the file system starts in sector 63, use:

           # fls -o 63 disk-img.dd

      If you have a disk image that is split use:

           # fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd

SEE ALSO

      dd(1), ffind(1), icat(1)

HISTORY

      fls first appeared in TCTUTILs v1.0.

AUTHOR

      Brian Carrier <carrier@sleuthkit.org>