Difference between revisions of "Ffind"

From SleuthKitWiki
Jump to: navigation, search
m
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
 
Back to [[Help Documents]]
 
Back to [[Help Documents]]
==ffind==
 
Version 2.09
 
  
===Purpose===
 
Finds the names of files or directories that use inode on image.  By default it only will only return the name it finds.  This will  also show  the names of deleted file names in some systems such as Linux and OpenBSD.
 
  
This  program searches all  directory  entries  looking for the given inode.  This is useful when an inode has been identified  from  a  disk unit address using find_inode(1).
+
ffind is used to map meta data structures to file names. It takes a meta data structure as input and searches for the corresponding file name that points to it.  
  
===Usage===
+
* [http://www.sleuthkit.org/sleuthkit/man/ffind.html Automatically Updated man Page]
ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode
+
 
+
===Options===
+
 
+
{| border="1" cellpadding="5"
+
!Switch
+
!Purpose
+
|-
+
| image [images] || One (or more if split) disk or partition images whose format is given with ’-i’.
+
|-
+
| inode || Integer of inode to find.
+
|-
+
| -a || Find all occurrences of inode.
+
|-
+
| -d || Find deleted entries only.
+
|-
+
| -f fstype || Identify the File System type of the image.  Use the -? argument for a list of supported file system types.  If  not  given,  the default type for the platform is used.
+
|-
+
| -u || Find undeleted entries only.
+
|-
+
| -i imgtype || Identify  the  type of image file, such as raw or split.  Raw is the default.
+
|-
+
| -o imgoffset || The sector offset where the file system  starts  in  the  image. Non-512 byte sectors can be specified using ’@’ (32@2048).
+
|-
+
| -v || Verbose output to stderr.
+
|-
+
| -V || Display version.
+
|}
+
 
+
===Example===
+
# ffind -a image 212
+
 
+
===History===
+
ffind first appeared in TCTUTILs v1.0 as find_file.
+
 
+
===Author===
+
Brian Carrier <carrier@sleuthkit.org>
+

Latest revision as of 18:15, 11 September 2008

Back to Help Documents


ffind is used to map meta data structures to file names. It takes a meta data structure as input and searches for the corresponding file name that points to it.