Difference between revisions of "Fls"

Latest revision as of 08:10, 13 January 2014

fls lists the files and directory names in a file system. It will process the contents of a given directory and can display information on deleted files.

Automatically Updated man Page

Output Data

The default output (i.e. if -l or -m are not given) has one line for each file in the directory. An NTFS example is:

r/r 1304-128-1: IO.SYS

File Type

The r/r value shows the file type. The first 'r' is the type as saved in the file's file name structure and the second 'r' is the type as saved in the file's metadata structure. For allocated files, these should always be equal. For deleted files, they could be different if one of the structures was reallocated to a different file type. The types are listed here:

-: Unknown type
r: Regular file
d: Directory
c: Character device
b: Block device
l: Symbolic link
p: Named FIFO
s: Shadow
h: Socket
w: Whiteout
v: TSK Virtual file / directory (not a real directory, created by TSK for convenience).

Most entries will be 'r' and 'd'. The others are Unix-focused.

Metadata Address

The 1304-128-1 part of the entry shows the Metadata Address associated with this name. Because this is an NTFS example, the -128-1 part exists, which identifies the $Data attribute that this name points to. Other file systems may have a single number in this field.

File Name

Finally, the IO.SYS part of the entry is the name of the file for this entry.

If you use the '-r' option to recursively go into directories, a '+' is added to the front of each entry to show how deep the file is. '++' means that the entry is two directories deep.

Deleted File Names

If the file name in unallocated space of the directory, there will be a '*' between the file type and the metadata address.

r/r * 1304-128-1: IO.SYS

In general, this means that the file is deleted. But, some file systems keep the directory contents sorted and will move file names around. This can result in unallocated copies of the file name, even when the file is still allocated. As of version 3.0.0, TSK suppresses duplicate file names and will suppress a deleted version of a name if an equivalent allocated version exists (equivalent is defined as the same name and pointing to the same metadata address).

Sometimes, you will see the text '(realloc)' after the metadata address.

r/r * 1304-128-1(realloc): IO.SYS

This occurs when the file name is in an unallocated state and the metadata structure is in an allocated state. This can only occur on file systems that separate the file name from the metadata (such as NTFS, Ext2/3, UFS, etc.). Seeing '(realloc)' with versions of TSK 3.0.0 and greater (because of the duplicate name suppression) is generally an indication that the metadata structure has been reallocated to a new file and therefore not likely to be the metadta or file content that originally corresponded to this file name.

-l format

The '-l' argument causes the "long" format with more details. It is tab-delimited with the following fields:

file type as reported in file name and metadata structure (see above)
Metadata Address
name
mtime (last modified time)
atime (last accessed time)
ctime (last changed time)
crtime (created time)
size (in bytes)
uid (User ID)
gid (Group ID)

Note that the 2.X versions of TSK do not print the created time.

-m format

The '-m' argument causes the data to be in the body file format. It is used to make timelines. An example:

# fls -r -m / image.dd > body.txt

@@ Line 1: / Line 1: @@
-Version 2.09 Man Page
+Back to [[Help Documents]]
-NAME
-       fls - List file and directory names in a forensic image
-SYNOPSIS
+fls lists the files and directory names in a file system.  It will process the contents of a given directory and can display information on deleted files.
-       fls  [-adDFlpruvV]  [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i
-       imgtype ] [-o imgoffset ] image [images] [ inode ]
-DESCRIPTION
+* [http://www.sleuthkit.org/sleuthkit/man/fls.html Automatically Updated man Page]
-       fls lists the files and directory names in the image  and  can  display
-       file  names of recently deleted files for the directory using the given
-       inode.  If the inode argument is not given, 2 is used.
-       The arguments are as follows:
+==Output Data==
+The default output (i.e. if -l or -m are not given) has one line for each file in the directory.  An NTFS example is:
-       -a     Display the "." and ".." directory entries (by default  it  does
+<code>
-              not)
+r/r 1304-128-1: IO.SYS
+</code>
-       -d     Display deleted entries only
+=== File Type ===
+The <tt>r/r</tt> value shows the file type.  The first 'r' is the type as saved in the file's [[file name  structure]] and the second 'r' is the type as saved in the file's [[metadata structure]]. For [[allocated files]], these should always be equal.  For [[deleted files]], they could be different if one of the structures was reallocated to a different file type. The types are listed here:
+* -: Unknown type
+* r: Regular file
+* d: Directory
+* c: Character device
+* b: Block device
+* l: Symbolic link
+* p: Named FIFO
+* s: Shadow
+* h: Socket
+* w: Whiteout
+* v: TSK Virtual file / directory (not a real directory, created by TSK for convenience).
+Most entries will be 'r' and 'd'.  The others are Unix-focused.
-       -D     Display directory entries only
+=== Metadata Address ===
+The <tt>1304-128-1</tt> part of the entry shows the [[Metadata Address]] associated with this name.  Because this is an NTFS example, the <tt>-128-1</tt> part exists, which identifies the $Data attribute that this name points to.  Other file systems may have a single number in this field.
-       -f fstype
+=== File Name ===
-              The type of File System.  Use the -? argument for a list of sup-
+Finally, the <tt>IO.SYS</tt> part of the entry is the name of the file for this entry.
-              ported types.  If not given, the default type for  the  platform
-              is used.
-       -F     Display file (all non-directory) entries only.
+If you use the '-r' option to recursively go into directories, a '+' is added to the front of each entry to show how deep the file is.  '++' means that the entry is two directories deep.
-       -l     Display file details in long format.  The following contents are
+=== Deleted File Names ===
-              displayed:
+If the file name in unallocated space of the directory, there will be a '*' between the file type and the metadata address.
-              file_type inode file_name mod_time acc_time  cre_time  size  uid
+<code>
-              gid
+r/r * 1304-128-1: IO.SYS
+</code>
-       -m mnt Display  files in time machine format.  The output can be merged
+In general, this means that the file is deleted.  But, some file systems keep the directory contents sorted and will move file names around.  This can result in unallocated copies of the file name, even when the file is still allocated.  As of version 3.0.0, TSK suppresses duplicate file names and will suppress a deleted version of a name if an equivalent allocated version exists (equivalent is defined as the same name and pointing to the same metadata address).
-              with the body file from grave-robber(1)  before  mactime(1)   is
-              run.   The files will be printed as though the image was mounted
-              at mnt (for example /usr).
-       -p     Display the full path for each entry.  By default it denotes the
+Sometimes, you will see the text '(realloc)' after the metadata address.
-              directory depth on recursive runs with a ’+’ sign.
-       -r     Recursively  display  directories.  This will not follow deleted
+<code>
-              directories, because it can’t.
+r/r * 1304-128-1(realloc): IO.SYS
+</code>
-       -s seconds
+This occurs when the file name is in an unallocated state and the metadata structure is in an allocated state. This can only occur on file systems that separate the file name from the metadata (such as NTFS, Ext2/3, UFS, etc.). Seeing '(realloc)' with versions of TSK 3.0.0 and greater (because of the duplicate name suppression) is generally an indication that the metadata structure has been reallocated to a new file and therefore not likely to be the metadta or file content that originally corresponded to this file name.
-              The time skew of the original system in seconds.   For  example,
-              if the original system was 100 seconds slow, this value would be
-              -100.  This is only used if -l or -m are given.
-       -i imgtype
+=== -l format ===
-              Identify the type of image file, such as raw or split.   Raw  is
+The '-l' argument causes the "long" format with more details.  It is tab-delimited with the following fields:
-              the default.
+* file type as reported in file name and metadata structure (see above)
+* [[Metadata Address]]
+* name
+* mtime (last modified time)
+* atime (last accessed time)
+* ctime (last changed time)
+* crtime (created time)
+* size (in bytes)
+* uid (User ID)
+* gid (Group ID)
-       -o imgoffset
+Note that the 2.X versions of TSK do not print the created time.
-              The  sector  offset  where  the file system starts in the image.
-              Non-512 byte sectors can be specified using ’@’ (32@2048).
-       -u     Display undeleted entries only
+=== -m format ===
+The '-m' argument causes the data to be in the [[body file]] format. It is used to make [[timelines]]. An example:
-       -v     Verbose output to stderr.
+  # fls -r -m / image.dd > body.txt
-       -V     Display version.
-       -z zone
-              The ASCII string of the time zone of the original  system.   For
-              example,  EST  or  GMT.   These  strings must be defined by your
-              operating system and may vary.
-       image [images]
-              One (or more if split) disk or partition images whose format  is
-              given with ’-i’.
-       Once  the  inode  has  been determined, the file can be recovered using
-       icat(1) from The Coroners Toolkit.  The amount of information recovered
-       from deleted file entries varies depending on the system.  For example,
-       on Linux, a recently deleted file can be  easily  recovered,  while  in
-       Solaris not even the inode can be determined.  If you just want to find
-       what file name belongs to an inode, it is easier to use find_name(1).
-EXAMPLES
-       To get a list of all files and directories in an image use:
-            # fls -r image 2
-            or just:
-            # fls -r image
-       To get the full path of deleted files in a given directory:
-            # fls -d -p image 29
-       To get the mactime output do:
-            # fls -m /usr/local image 2
-       If you have a disk image and the file system starts in sector 63, use:
-            # fls -o 63 disk-img.dd
-       If you have a disk image that is split use:
-            # fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd
-SEE ALSO
-       dd(1), ffind(1), icat(1)
-HISTORY
-       fls first appeared in TCTUTILs v1.0.
-AUTHOR
-       Brian Carrier <carrier@sleuthkit.org>

Difference between revisions of "Fls"

Latest revision as of 08:10, 13 January 2014

Contents

Output Data

File Type

Metadata Address

File Name

Deleted File Names

-l format

-m format

Navigation menu

Views

Personal tools

Navigation

Search

Tools