Difference between revisions of "Ffind"

From SleuthKitWiki
Jump to: navigation, search
(New page: Version 2.09 Man Page NAME ffind - Find the file or directory name that is using a given inode SYNOPSIS ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode ...)
 
m (Reformatted)
Line 1: Line 1:
Version 2.09 Man Page
+
==ffind==
 +
Version 2.09
  
NAME
+
===Purpose===
      ffind - Find the file or directory name that is using a given inode
+
Finds the names of files or directories that use inode on image.  By default it only will only return the name it finds.  This will  also show  the names of deleted file names in some systems such as Linux and OpenBSD.
  
SYNOPSIS
+
This  program  searches  all  directory  entries  looking for the given inode.  This is useful when an inode has been identified  from  a  disk unit address using find_inode(1).
      ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode
+
  
DESCRIPTION
+
===Usage===
      ffind finds the names of files or directories that use inode on image.
+
ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode
      By default it only will only return the name it finds.  This will  also
+
      show  the names of deleted file names in some systems such as Linux and
+
      OpenBSD.
+
  
      The arguments are as follows:
+
===Options===
  
      image [images]
+
{| border="1" cellpadding="5"
              One (or more if split) disk or partition images whose format is
+
!Switch
              given with ’-i’.
+
!Purpose
 +
|-
 +
| image [images] || One (or more if split) disk or partition images whose format is given with ’-i’.
 +
|-
 +
| inode || Integer of inode to find.
 +
|-
 +
| -a || Find all occurrences of inode.
 +
|-
 +
| -d || Find deleted entries only.
 +
|-
 +
| -f fstype || Identify the File System type of the image.  Use the -? argument for a list of supported file system types.  If  not  given,  the default type for the platform is used.
 +
|-
 +
| -u || Find undeleted entries only.
 +
|-
 +
| -i imgtype || Identify  the  type of image file, such as raw or split.  Raw is the default.
 +
|-
 +
| -o imgoffset || The sector offset where the file system  starts  in  the  image. Non-512 byte sectors can be specified using ’@’ (32@2048).
 +
|-
 +
| -v || Verbose output to stderr.
 +
|-
 +
| -V || Display version.
 +
|}
  
      inode Integer of inode to find.
+
===Example===
 +
  # ffind -a image 212
  
              The optional arguments are:
+
===History===
 +
ffind first appeared in TCTUTILs v1.0 as find_file.
  
      -a    Find all occurrences of inode.
+
===Author===
 
+
Brian Carrier <carrier@sleuthkit.org>
      -d    Find deleted entries only.
+
 
+
      -f fstype
+
              Identify the File System type of the image.  Use the -? argument
+
              for a list of supported file system types.  If  not  given,  the
+
              default type for the platform is used.
+
 
+
      -u    Find undeleted entries only.
+
 
+
      -i imgtype
+
              Identify  the  type of image file, such as raw or split.  Raw is
+
              the default.
+
 
+
      -o imgoffset
+
              The sector offset where the file system  starts  in  the  image.
+
              Non-512 byte sectors can be specified using ’@’ (32@2048).
+
 
+
      -v    Verbose output to stderr.
+
 
+
      -V    Display version.
+
 
+
      This  program  searches  all  directory  entries  looking for the given
+
      inode.  This is useful when an inode has been identified  from  a  disk
+
      unit address using find_inode(1).
+
 
+
EXAMPLE
+
      # ffind -a image 212
+
 
+
SEE ALSO
+
      dd(1), ifind(1)
+
 
+
HISTORY
+
      ffind first appeared in TCTUTILs v1.0 as find_file.
+
 
+
AUTHOR
+
      Brian Carrier <carrier@sleuthkit.org>
+

Revision as of 14:52, 17 November 2007

ffind

Version 2.09

Purpose

Finds the names of files or directories that use inode on image. By default it only will only return the name it finds. This will also show the names of deleted file names in some systems such as Linux and OpenBSD.

This program searches all directory entries looking for the given inode. This is useful when an inode has been identified from a disk unit address using find_inode(1).

Usage

ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode

Options

Switch Purpose
image [images] One (or more if split) disk or partition images whose format is given with ’-i’.
inode Integer of inode to find.
-a Find all occurrences of inode.
-d Find deleted entries only.
-f fstype Identify the File System type of the image. Use the -? argument for a list of supported file system types. If not given, the default type for the platform is used.
-u Find undeleted entries only.
-i imgtype Identify the type of image file, such as raw or split. Raw is the default.
-o imgoffset The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048).
-v Verbose output to stderr.
-V Display version.

Example

# ffind -a image 212

History

ffind first appeared in TCTUTILs v1.0 as find_file.

Author

Brian Carrier <carrier@sleuthkit.org>