Ffind
From SleuthKitWiki
Version 2.09 Man Page
NAME
ffind - Find the file or directory name that is using a given inode
SYNOPSIS
ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode
DESCRIPTION
ffind finds the names of files or directories that use inode on image. By default it only will only return the name it finds. This will also show the names of deleted file names in some systems such as Linux and OpenBSD.
The arguments are as follows:
image [images] One (or more if split) disk or partition images whose format is given with ’-i’.
inode Integer of inode to find.
The optional arguments are:
-a Find all occurrences of inode.
-d Find deleted entries only.
-f fstype Identify the File System type of the image. Use the -? argument for a list of supported file system types. If not given, the default type for the platform is used.
-u Find undeleted entries only.
-i imgtype Identify the type of image file, such as raw or split. Raw is the default.
-o imgoffset The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048).
-v Verbose output to stderr.
-V Display version.
This program searches all directory entries looking for the given inode. This is useful when an inode has been identified from a disk unit address using find_inode(1).
EXAMPLE
# ffind -a image 212
SEE ALSO
dd(1), ifind(1)
HISTORY
ffind first appeared in TCTUTILs v1.0 as find_file.
AUTHOR
Brian Carrier <carrier@sleuthkit.org>