Ffind
From SleuthKitWiki
ffind
Version 2.09
Purpose
Finds the names of files or directories that use inode on image. By default it only will only return the name it finds. This will also show the names of deleted file names in some systems such as Linux and OpenBSD.
This program searches all directory entries looking for the given inode. This is useful when an inode has been identified from a disk unit address using find_inode(1).
Usage
ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode
Options
| Switch | Purpose |
|---|---|
| image [images] | One (or more if split) disk or partition images whose format is given with ’-i’. |
| inode | Integer of inode to find. |
| -a | Find all occurrences of inode. |
| -d | Find deleted entries only. |
| -f fstype | Identify the File System type of the image. Use the -? argument for a list of supported file system types. If not given, the default type for the platform is used. |
| -u | Find undeleted entries only. |
| -i imgtype | Identify the type of image file, such as raw or split. Raw is the default. |
| -o imgoffset | The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). |
| -v | Verbose output to stderr. |
| -V | Display version. |
Example
# ffind -a image 212
History
ffind first appeared in TCTUTILs v1.0 as find_file.
Author
Brian Carrier <carrier@sleuthkit.org>
