Difference between revisions of "Ils"
From SleuthKitWiki
(New page: Version 2.09 Man Page NAME ils - list inode information SYNOPSIS ils [-emOpvV] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset] image [images] [start-stop] ...) |
m (Formatting) |
||
| Line 1: | Line 1: | ||
| − | + | Back to [[Help Documents]] | |
| − | + | ==ils== | |
| − | + | Version 2.09 | |
| + | <br />This software is distributed under the IBM Public License which can be found on the [[Licenses]] page. | ||
| − | |||
| − | |||
| − | |||
| − | + | ===Purpose=== | |
| − | + | Opens the named image(s) and lists inode information. By default, ils lists only the inodes of removed files. | |
| − | |||
| − | |||
| − | |||
| − | + | ===Usage=== | |
| + | ils [-emOpvV] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset] image [images] [start-stop] | ||
| + | ils [-aAlLvVzZ] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset] image [images] [start-stop] | ||
| − | |||
| − | + | ===Options=== | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | {| border="1" cellpadding="5" | |
| − | + | !Switch | |
| − | + | !Purpose | |
| − | + | |- | |
| + | | -e || List every inode in the file system. | ||
| + | |- | ||
| + | | -f fstype || Specifies the file system type. Use the -? argument to display all supported types. If not given, the default type for the platform is used. | ||
| + | |- | ||
| + | | -s seconds || The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100. | ||
| + | |- | ||
| + | | -m || Display the inode details in the format that the mactime program reads (replaces the ils2mac script from TCT) | ||
| + | |- | ||
| + | | -O || List only inodes of removed files that are still open or executing. This option is short-hand notation for -aL "(see the fine controls section below). (this used to be -o). | ||
| + | |- | ||
| + | | -p || Display orphan inodes (unallocated with no file name) | ||
| + | |- | ||
| + | | -r || (default) List only inodes of removed files. This option is short-hand notation for -LZ (see the fine controls section below). | ||
| + | |- | ||
| + | | -i imgtype || Identify the type of image file, such as raw or split. Raw is the default. | ||
| + | |- | ||
| + | | -o imgoffset || The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). | ||
| + | |- | ||
| + | | -v || Turn on verbose mode, output to stderr. | ||
| + | |- | ||
| + | | -V || Display Version. | ||
| + | |- | ||
| + | | image [images] || One (or more if split) disk or partition images whose format is given with ’-i’. | ||
| + | |- | ||
| + | | start-stop || Examine the specified inode number or number range. | ||
| + | |- | ||
| + | ! colspan="2"| Fine controls: | ||
| + | |- | ||
| + | | -a || List only allocated inodes: these belong to files with at least one directory entry in the file system, and to removed files that are still open or executing. | ||
| + | |- | ||
| + | | -A || List only unallocated inodes: these belong to files that no longer exist. | ||
| + | |- | ||
| + | | -l || List only inodes with at least one hard link. These belong to files with at least one directory entry in the file system. | ||
| + | |- | ||
| + | | -L || List only inodes without any hard links. These belong to files that no longer exist, and to removed files that are still open or executing. | ||
| + | |- | ||
| + | | -z || List only inodes with zero status change time. Presumably, these inodes were never used. | ||
| + | |- | ||
| + | | -Z || List only inodes with non-zero status change time. Presumably, these belong to files that still exist, or that existed in the past. | ||
| + | |} | ||
| − | |||
| − | |||
| − | + | ===Example=== | |
| − | + | Output Format | |
| − | + | ||
| − | + | The output format is in time machine format, as described in tm-format(5). The output begins with a two-line header that describes the data origin, and is followed by a one-line header that lists the names of the data attributes that make up the remainder of the output: | |
| − | + | {| | |
| − | + | !Header || Meaning | |
| − | + | |- | |
| + | | st_ino || The inode number. | ||
| + | |- | ||
| + | | st_alloc || Allocation status: ‘a’ for allocated inode, ‘f’ for free inode. | ||
| + | |- | ||
| + | | st_uid || Owner user ID. | ||
| + | |- | ||
| + | | st_gid || Owner group ID. | ||
| + | |- | ||
| + | | st_mtime || UNIX time (seconds) of last file modification. | ||
| + | |- | ||
| + | | st_atime || UNIX time (seconds) of last file access. | ||
| + | |- | ||
| + | | st_ctime || UNIX time (seconds) of last inode status change. | ||
| + | |- | ||
| + | | st_dtime || UNIX time (seconds) of file deletion (LINUX only). | ||
| + | |- | ||
| + | | st_mode || File type and permissions (octal). | ||
| + | |- | ||
| + | | st_nlink || Number of hard links. | ||
| + | |- | ||
| + | | st_size || File size in bytes. | ||
| + | |- | ||
| + | | st_block0,st_block1 || The first two entries in the direct block address list. | ||
| + | |} | ||
| − | |||
| − | |||
| − | |||
| − | + | ===History=== | |
| − | + | First appeared in The Coroners Toolkit (TCT) 1.0. | |
| − | + | ||
| − | |||
| − | + | ===Author=== | |
| − | + | Wietse Venema | |
| − | + | IBM T.J. Watson Research | |
| − | + | P.O. Box 704 | |
| − | + | Yorktown Heights, NY 10598, USA | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
Revision as of 15:56, 17 November 2007
Back to Help Documents
ils
Version 2.09
This software is distributed under the IBM Public License which can be found on the Licenses page.
Purpose
Opens the named image(s) and lists inode information. By default, ils lists only the inodes of removed files.
Usage
ils [-emOpvV] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset] image [images] [start-stop] ils [-aAlLvVzZ] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset] image [images] [start-stop]
Options
| Switch | Purpose |
|---|---|
| -e | List every inode in the file system. |
| -f fstype | Specifies the file system type. Use the -? argument to display all supported types. If not given, the default type for the platform is used. |
| -s seconds | The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100. |
| -m | Display the inode details in the format that the mactime program reads (replaces the ils2mac script from TCT) |
| -O | List only inodes of removed files that are still open or executing. This option is short-hand notation for -aL "(see the fine controls section below). (this used to be -o). |
| -p | Display orphan inodes (unallocated with no file name) |
| -r | (default) List only inodes of removed files. This option is short-hand notation for -LZ (see the fine controls section below). |
| -i imgtype | Identify the type of image file, such as raw or split. Raw is the default. |
| -o imgoffset | The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). |
| -v | Turn on verbose mode, output to stderr. |
| -V | Display Version. |
| image [images] | One (or more if split) disk or partition images whose format is given with ’-i’. |
| start-stop | Examine the specified inode number or number range. |
| Fine controls: | |
| -a | List only allocated inodes: these belong to files with at least one directory entry in the file system, and to removed files that are still open or executing. |
| -A | List only unallocated inodes: these belong to files that no longer exist. |
| -l | List only inodes with at least one hard link. These belong to files with at least one directory entry in the file system. |
| -L | List only inodes without any hard links. These belong to files that no longer exist, and to removed files that are still open or executing. |
| -z | List only inodes with zero status change time. Presumably, these inodes were never used. |
| -Z | List only inodes with non-zero status change time. Presumably, these belong to files that still exist, or that existed in the past. |
Example
Output Format
The output format is in time machine format, as described in tm-format(5). The output begins with a two-line header that describes the data origin, and is followed by a one-line header that lists the names of the data attributes that make up the remainder of the output:
| Header | Meaning |
|---|---|
| st_ino | The inode number. |
| st_alloc | Allocation status: ‘a’ for allocated inode, ‘f’ for free inode. |
| st_uid | Owner user ID. |
| st_gid | Owner group ID. |
| st_mtime | UNIX time (seconds) of last file modification. |
| st_atime | UNIX time (seconds) of last file access. |
| st_ctime | UNIX time (seconds) of last inode status change. |
| st_dtime | UNIX time (seconds) of file deletion (LINUX only). |
| st_mode | File type and permissions (octal). |
| st_nlink | Number of hard links. |
| st_size | File size in bytes. |
| st_block0,st_block1 | The first two entries in the direct block address list. |
History
First appeared in The Coroners Toolkit (TCT) 1.0.
Author
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA
