Difference between revisions of "Fls"
m (Updated to include fls -m output format.) |
(Added v3 format and '-l' format.) |
||
| Line 6: | Line 6: | ||
* [http://www.sleuthkit.org/sleuthkit/man/fls.html Automatically Updated man Page] | * [http://www.sleuthkit.org/sleuthkit/man/fls.html Automatically Updated man Page] | ||
| − | ==Output | + | ==Output Data== |
| + | The '-l' and '-m' arguments to fls cause each line of output to contain several pieces of information. This section outlines what each field means. | ||
| − | === | + | ===Mactime Format=== |
| − | The | + | The Mactime output format (option "-m mnt", where 'mnt' will be pre-pended to the filepath/filename) will produce a pipe ("|") delimited output. The format in 3.X versions of fls are different from the outputs of 1.X and 2.X versions. |
| − | MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links | + | The 3.X output has the following fields: |
| + | |||
| + | MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime | ||
| + | |||
| + | The 2.X output has the following fields: | ||
| + | |||
| + | MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links | ||
| UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks | | UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks | ||
For example: | For example: | ||
fls -m "/" -o 1 -i raw imageFile.dd | fls -m "/" -o 1 -i raw imageFile.dd | ||
| − | Produces: | + | Produces (in 2.X): |
0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0 | 0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0 | ||
Notes: | Notes: | ||
Times reported by fls -m are in UNIX time format. | Times reported by fls -m are in UNIX time format. | ||
| + | |||
| + | ===Long Format=== | ||
| + | The '-l' argument causes the "long" format with more details. It is tab-delimited with the following fields: | ||
| + | * file type as reported in file name and metadata structure | ||
| + | * Metadata address | ||
| + | * name | ||
| + | * mtime (last modified time) | ||
| + | * atime (last accessed time) | ||
| + | * ctime (last changed time) | ||
| + | * crtime (created time) | ||
| + | * size | ||
| + | * uid | ||
| + | * gid | ||
| + | |||
| + | Note that the 2.X versions of TSK do not print the created time. | ||
Revision as of 11:20, 20 September 2008
Back to Help Documents
fls lists the files and directory names in a file system and can display file names of recently deleted files for the directory using the given inode.
Output Data
The '-l' and '-m' arguments to fls cause each line of output to contain several pieces of information. This section outlines what each field means.
Mactime Format
The Mactime output format (option "-m mnt", where 'mnt' will be pre-pended to the filepath/filename) will produce a pipe ("|") delimited output. The format in 3.X versions of fls are different from the outputs of 1.X and 2.X versions.
The 3.X output has the following fields:
MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
The 2.X output has the following fields:
MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links | UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks
For example:
fls -m "/" -o 1 -i raw imageFile.dd
Produces (in 2.X):
0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0
Notes:
Times reported by fls -m are in UNIX time format.
Long Format
The '-l' argument causes the "long" format with more details. It is tab-delimited with the following fields:
- file type as reported in file name and metadata structure
- Metadata address
- name
- mtime (last modified time)
- atime (last accessed time)
- ctime (last changed time)
- crtime (created time)
- size
- uid
- gid
Note that the 2.X versions of TSK do not print the created time.
