Difference between revisions of "Fls"
From SleuthKitWiki
(New page: Version 2.09 Man Page NAME fls - List file and directory names in a forensic image SYNOPSIS fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i i...) |
m (Reformatted) |
||
| Line 1: | Line 1: | ||
| − | Version 2.09 | + | ==mmls== |
| + | Version 2.09 | ||
| − | + | ===Purpose=== | |
| − | + | Lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. If the inode argument is not given, 2 is used. | |
| − | + | Once the inode has been determined, the file can be recovered using | |
| − | + | icat(1) from The Coroners Toolkit. The amount of information recovered | |
| − | + | from deleted file entries varies depending on the system. For example, | |
| + | on Linux, a recently deleted file can be easily recovered, while in | ||
| + | Solaris not even the inode can be determined. If you just want to find | ||
| + | what file name belongs to an inode, it is easier to use find_name(1). | ||
| − | + | ===Usage=== | |
| − | + | fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] image [images] [ inode ] | |
| − | + | ||
| − | + | ||
| − | + | ===Options=== | |
| − | + | {| border="1" cellpadding="5" | |
| − | + | !Switch | |
| + | !Purpose | ||
| + | |- | ||
| + | | -a || Display the "." and ".." directory entries (by default it does not) | ||
| + | |- | ||
| + | | -d || Display deleted entries only | ||
| + | |- | ||
| + | | -D || Display directory entries only | ||
| + | |- | ||
| + | | -f fstype || The type of File System. Use the -? argument for a list of supported types. If not given, the default type for the platform is used. | ||
| + | |- | ||
| + | | -F || Display file (all non-directory) entries only. | ||
| + | |- | ||
| + | | -l || Display file details in long format. The following contents are displayed: file_type inode file_name mod_time acc_time cre_time size uid gid | ||
| + | |- | ||
| + | | -m mnt || Display files in time machine format. The output can be merged with the body file from grave-robber(1) before mactime(1) is run. The files will be printed as though the image was mounted at mnt (for example /usr). | ||
| + | |- | ||
| + | | -p || Display the full path for each entry. By default it denotes the directory depth on recursive runs with a ’+’ sign. | ||
| + | |- | ||
| + | | -r || Recursively display directories. This will not follow deleted directories, because it can’t. | ||
| + | |- | ||
| + | | -s seconds || The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100. This is only used if -l or -m are given. | ||
| + | |- | ||
| + | | -i imgtype || Identify the type of image file, such as raw or split. Raw is the default. | ||
| + | |- | ||
| + | | -o imgoffset || The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). | ||
| + | |- | ||
| + | | -u || Display undeleted entries only | ||
| + | |- | ||
| + | | -v || Verbose output to stderr. | ||
| + | |- | ||
| + | | -V || Display version. | ||
| + | |- | ||
| + | | -z zone || The ASCII string of the time zone of the original system. For example, EST or GMT. These strings must be defined by your operating system and may vary. | ||
| + | |- | ||
| + | | image [images] || One (or more if split) disk or partition images whose format is given with ’-i’. | ||
| + | |} | ||
| − | + | ===Example=== | |
| + | To list the partition table of a Windows system using autodetect: | ||
| + | To get a list of all files and directories in an image use: | ||
| + | # fls -r image 2 | ||
| + | or just: | ||
| + | # fls -r image | ||
| − | + | To get the full path of deleted files in a given directory: | |
| + | # fls -d -p image 29 | ||
| − | + | To get the mactime output do: | |
| − | + | # fls -m /usr/local image 2 | |
| − | + | ||
| − | + | ||
| − | + | If you have a disk image and the file system starts in sector 63, use: | |
| + | # fls -o 63 disk-img.dd | ||
| − | + | If you have a disk image that is split use: | |
| − | + | # fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd | |
| − | + | ===History=== | |
| − | + | fls first appeared in TCTUTILs v1.0. | |
| − | + | ===Author=== | |
| − | + | Brian Carrier <carrier@sleuthkit.org> | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
Revision as of 14:27, 17 November 2007
mmls
Version 2.09
Purpose
Lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. If the inode argument is not given, 2 is used.
Once the inode has been determined, the file can be recovered using icat(1) from The Coroners Toolkit. The amount of information recovered from deleted file entries varies depending on the system. For example, on Linux, a recently deleted file can be easily recovered, while in Solaris not even the inode can be determined. If you just want to find what file name belongs to an inode, it is easier to use find_name(1).
Usage
fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] image [images] [ inode ]
Options
| Switch | Purpose |
|---|---|
| -a | Display the "." and ".." directory entries (by default it does not) |
| -d | Display deleted entries only |
| -D | Display directory entries only |
| -f fstype | The type of File System. Use the -? argument for a list of supported types. If not given, the default type for the platform is used. |
| -F | Display file (all non-directory) entries only. |
| -l | Display file details in long format. The following contents are displayed: file_type inode file_name mod_time acc_time cre_time size uid gid |
| -m mnt | Display files in time machine format. The output can be merged with the body file from grave-robber(1) before mactime(1) is run. The files will be printed as though the image was mounted at mnt (for example /usr). |
| -p | Display the full path for each entry. By default it denotes the directory depth on recursive runs with a ’+’ sign. |
| -r | Recursively display directories. This will not follow deleted directories, because it can’t. |
| -s seconds | The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100. This is only used if -l or -m are given. |
| -i imgtype | Identify the type of image file, such as raw or split. Raw is the default. |
| -o imgoffset | The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). |
| -u | Display undeleted entries only |
| -v | Verbose output to stderr. |
| -V | Display version. |
| -z zone | The ASCII string of the time zone of the original system. For example, EST or GMT. These strings must be defined by your operating system and may vary. |
| image [images] | One (or more if split) disk or partition images whose format is given with ’-i’. |
Example
To list the partition table of a Windows system using autodetect: To get a list of all files and directories in an image use:
# fls -r image 2
or just:
# fls -r image
To get the full path of deleted files in a given directory:
# fls -d -p image 29
To get the mactime output do:
# fls -m /usr/local image 2
If you have a disk image and the file system starts in sector 63, use:
# fls -o 63 disk-img.dd
If you have a disk image that is split use:
# fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd
History
fls first appeared in TCTUTILs v1.0.
Author
Brian Carrier <carrier@sleuthkit.org>
