Difference between revisions of "Ifind"

From SleuthKitWiki
Jump to: navigation, search
(New page: Version 2.09 Man Page NAME ifind - Find the meta-data structure that has allocated a given disk unit. SYNOPSIS ifind [-avVl] [-f fstype] [-d data_unit] [-n file] ...)
 
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Version 2.09 Man Page
+
Back to [[Help Documents]]
  
NAME
+
ifind is used to map between [[data units]] and meta data structures and between meta data structures and names. It takes either a [[data unit]] address or file name as input and will search for the meta data structure that is associated with it.  
      ifind  -  Find  the meta-data structure that has allocated a given disk
+
      unit.
+
  
SYNOPSIS
+
* [http://www.sleuthkit.org/sleuthkit/man/ifind.html Automatically Updated man Page]
      ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p  par_inode]  [-z
+
      ZONE] [-i imgtype] [-o imgoffset] image [images]
+
 
+
DESCRIPTION
+
      ifind finds the meta-data structure that has data_unit allocated a data
+
      unit or has a given file name.  In some cases any of the structures can
+
      be unallocated and this will still find the results.
+
 
+
      There  are  several  required  and  optional arguments.  The image file
+
      names must be specified each time:
+
 
+
      image [images]
+
              One (or more if split) disk or partition images whose format  is
+
              given with ’-i’..PP
+
 
+
              You  must  also specify what you are looking for and include one
+
              of the following:
+
 
+
      -d data_unit
+
              Finds the meta data structure that has allocated  a  given  data
+
              unit (block, cluster, etc.)
+
 
+
      -n file
+
              Finds  the  meta  data structure that is pointed to by the given
+
              file name.
+
 
+
      -p par_inode
+
              Finds the unallocated MFT entries in an NTFS image that have the
+
              given inode as the parent.  Can be used with ’-l and -z’.
+
 
+
      There are also several optional arguments:
+
 
+
      -a    Find  all  meta-data  structures (only works when looking with a
+
              data_unit).
+
 
+
      -f fstype
+
              Specify the file system type.  Use the -? argument for  list  of
+
              supported  types.  If not given, the default type for the plat-
+
              form is used.
+
 
+
      -l    List the details of each file found with ’-p’, like ’fls -l’.
+
 
+
      -i imgtype
+
              Identify the type of image file, such as raw or split.  Raw  is
+
              the default.
+
 
+
      -o imgoffset
+
              The  sector  offset  where  the file system starts in the image.
+
              Non-512 byte sectors can be specified using ’@’ (32@2048).
+
 
+
      -v    Verbose output to stderr.
+
 
+
      -V    Display version.
+
 
+
      -z    If ’-p -l’ were given, this will set the timezone for  the  cor-
+
              rect times.
+
 
+
EXAMPLES
+
      # ifind -f fat -d 456 fat-img.dd
+
 
+
      # ifind -f linux-ext2 -n "/etc/" linux-img.dd
+
 
+
      # ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
+
 
+
SEE ALSO
+
      dd(1),
+
 
+
HISTORY
+
      ifind first appeared in TCTUTILs v1.0 as find_inode.
+
 
+
AUTHOR
+
      Brian Carrier <carrier@sleuthkit.org>
+

Latest revision as of 06:46, 4 January 2010

Back to Help Documents

ifind is used to map between data units and meta data structures and between meta data structures and names. It takes either a data unit address or file name as input and will search for the meta data structure that is associated with it.

Retrieved from "https://wiki.sleuthkit.org/index.php?title=Ifind&oldid=411"