|
|
| (One intermediate revision by one user not shown) |
| Line 1: |
Line 1: |
| | Back to [[Help Documents]] | | Back to [[Help Documents]] |
| | | | |
| − | ==ifind==
| + | ifind is used to map between [[data units]] and meta data structures and between meta data structures and names. It takes either a [[data unit]] address or file name as input and will search for the meta data structure that is associated with it. |
| − | Version 2.09
| + | |
| | | | |
| − | ===Purpose===
| + | * [http://www.sleuthkit.org/sleuthkit/man/ifind.html Automatically Updated man Page] |
| − | Finds the meta-data structure that has data_unit allocated a data unit or has a given file name. In some cases any of the structures can be unallocated and this will still find the results.
| + | |
| − | <br />There are several required and optional arguments. The image file names must be specified each time:
| + | |
| − | | + | |
| − | ===Usage===
| + | |
| − | ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p par_inode] [-z ZONE] [-i imgtype] [-o imgoffset] image [images]
| + | |
| − | | + | |
| − | ===Options===
| + | |
| − | | + | |
| − | {| border="1" cellpadding="5"
| + | |
| − | !Switch
| + | |
| − | !Purpose
| + | |
| − | |-
| + | |
| − | | image [images] || One (or more if split) disk or partition images whose format is given with ’-i’..PP
| + | |
| − | You must also specify what you are looking for and include one of the following:
| + | |
| − | |-
| + | |
| − | | -d data_unit || Finds the meta data structure that has allocated a given data unit (block, cluster, etc.)
| + | |
| − | |-
| + | |
| − | | -n file || Finds the meta data structure that is pointed to by the given file name.
| + | |
| − | |-
| + | |
| − | | -p par_inode || Finds the unallocated MFT entries in an NTFS image that have the given inode as the parent. Can be used with ’-l and -z’.
| + | |
| − | |-
| + | |
| − | ! colspan="2"|''Optional Arguments''
| + | |
| − | |-
| + | |
| − | | -a || Find all meta-data structures (only works when looking with a data_unit).
| + | |
| − | |-
| + | |
| − | | -f fstype || Specify the file system type. Use the -? argument for list of supported types. If not given, the default type for the platform is used.
| + | |
| − | |-
| + | |
| − | | -l || List the details of each file found with ’-p’, like ’fls -l’.
| + | |
| − | |-
| + | |
| − | | -i imgtype || Identify the type of image file, such as raw or split. Raw is the default.
| + | |
| − | |-
| + | |
| − | | -o imgoffset || The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048).
| + | |
| − | |-
| + | |
| − | | -v || Verbose output to stderr.
| + | |
| − | |-
| + | |
| − | | -V || Display version.
| + | |
| − | |-
| + | |
| − | | -z || If ’-p -l’ were given, this will set the timezone for the correct times.
| + | |
| − | |}
| + | |
| − | | + | |
| − | ===Example===
| + | |
| − | # ifind -f fat -d 456 fat-img.dd
| + | |
| − | # ifind -f linux-ext2 -n "/etc/" linux-img.dd
| + | |
| − | # ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
| + | |
| − | | + | |
| − | ===History===
| + | |
| − | ifind first appeared in TCTUTILs v1.0 as find_inode.
| + | |
| − | | + | |
| − | ===Author===
| + | |
| − | Brian Carrier <carrier@sleuthkit.org>
| + | |
