Ils

From SleuthKitWiki
Revision as of 08:17, 17 November 2007 by Dhawkins (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Version 2.09 Man Page

NAME

      ils - list inode information

SYNOPSIS

      ils  [-emOpvV]  [-f  fstype]  [-s  seconds] [-i imgtype] [-o imgoffset]
      image [images] [start-stop]
      ils [-aAlLvVzZ] [-f fstype] [-s seconds] [-i  imgtype]  [-o  imgoffset]
      image [images] [start-stop]

DESCRIPTION

      ils  opens the named image(s) and lists inode information.  By default,
      ils lists only the inodes of removed files.
      Arguments:
      -e     List every inode in the file system.
      -f fstype
             Specifies the file system type.  Use the -? argument to  display
             all  supported  types.   If  not given, the default type for the
             platform is used.
      -s seconds
             The time skew of the original system in seconds.   For  example,
             if the original system was 100 seconds slow, this value would be
             -100.
      -m     Display the inode details in the format that the mactime program
             reads (replaces the ils2mac script from TCT)
      -O     List only inodes of removed files that are still open or execut-
             ing.  This option is short-hand notation for -aL "(see the  fine
             controls section below). (this used to be -o).
      -p     Display orphan inodes (unallocated with no file name)
      -r     (default)  List  only  inodes  of  removed files. This option is
             short-hand notation for  -LZ  (see  the  fine  controls  section
             below).
      -i imgtype
             Identify  the  type of image file, such as raw or split.  Raw is
             the default.
      -o imgoffset
             The sector offset where the file system  starts  in  the  image.
             Non-512 byte sectors can be specified using ’@’ (32@2048).
      -v     Turn on verbose mode, output to stderr.
      -V     Display Version.
      image [images]
             One  (or more if split) disk or partition images whose format is
             given with ’-i’.
      start-stop
             Examine the specified inode number or number range.
      Fine controls:
      -a     List only allocated inodes: these belong to files with at  least
             one  directory  entry  in  the file system, and to removed files
             that are still open or executing.
      -A     List only unallocated inodes: these  belong  to  files  that  no
             longer exist.
      -l     List  only  inodes  with at least one hard link. These belong to
             files with at least one directory entry in the file system.
      -L     List only inodes without any hard links. These belong  to  files
             that  no  longer exist, and to removed files that are still open
             or executing.
      -z     List only inodes with zero status change time. Presumably, these
             inodes were never used.
      -Z     List  only  inodes with non-zero status change time. Presumably,
             these belong to files that still exist, or that existed  in  the
             past.
      The  output  format  is in time machine format, as described in tm-for-
      mat(5). The output begins with a two-line  header  that  describes  the
      data  origin, and is followed by a one-line header that lists the names
      of the data attributes that make up the remainder of the output:
      st_ino The inode number.
      st_alloc
             Allocation status: ‘a’ for allocated inode, ‘f’ for free  inode.
      st_uid Owner user ID.
      st_gid Owner group ID.
      st_mtime
             UNIX time (seconds) of last file modification.
      st_atime
             UNIX time (seconds) of last file access.
      st_ctime
             UNIX time (seconds) of last inode status change.
      st_dtime
             UNIX time (seconds) of file deletion (LINUX only).
      st_mode
             File type and permissions (octal).
      st_nlink
             Number of hard links.
      st_size
             File size in bytes.
      st_block0,st_block1
             The first two entries in the direct block address list.

SEE ALSO

      mactime(1), mtime, atime, ctime reporter
      tm-format(5), time machine data format

LICENSE

      This software is distributed under the IBM Public License.

HISTORY

      First appeared in The Coroners Toolkit (TCT) 1.0.

AUTHOR(S)

      Wietse Venema
      IBM T.J. Watson Research
      P.O. Box 704
      Yorktown Heights, NY 10598, USA