|
|
| Line 1: |
Line 1: |
| | Back to [[Help Documents]] | | Back to [[Help Documents]] |
| | | | |
| − | ==ils==
| + | ils lists details about a range of meta data structures in a file system. Its output is in a delimited format that can be further processed. |
| − | Version 2.09
| + | |
| − | <br />This software is distributed under the IBM Public License which can be found on the [[Licenses]] page.
| + | |
| | | | |
| − | | + | * [http://www.sleuthkit.org/sleuthkit/man/ils.html Automatically Updated man Page] |
| − | ===Purpose===
| + | |
| − | Opens the named image(s) and lists inode information. By default, ils lists only the inodes of removed files.
| + | |
| − | | + | |
| − | | + | |
| − | ===Usage===
| + | |
| − | ils [-emOpvV] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset] image [images] [start-stop]
| + | |
| − | ils [-aAlLvVzZ] [-f fstype] [-s seconds] [-i imgtype] [-o imgoffset] image [images] [start-stop]
| + | |
| − | | + | |
| − | | + | |
| − | ===Options===
| + | |
| − | | + | |
| − | {| border="1" cellpadding="5"
| + | |
| − | !Switch
| + | |
| − | !Purpose
| + | |
| − | |-
| + | |
| − | | -e || List every inode in the file system.
| + | |
| − | |-
| + | |
| − | | -f fstype || Specifies the file system type. Use the -? argument to display all supported types. If not given, the default type for the platform is used.
| + | |
| − | |-
| + | |
| − | | -s seconds || The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100.
| + | |
| − | |-
| + | |
| − | | -m || Display the inode details in the format that the mactime program reads (replaces the ils2mac script from TCT)
| + | |
| − | |-
| + | |
| − | | -O || List only inodes of removed files that are still open or executing. This option is short-hand notation for -aL "(see the fine controls section below). (this used to be -o).
| + | |
| − | |-
| + | |
| − | | -p || Display orphan inodes (unallocated with no file name)
| + | |
| − | |-
| + | |
| − | | -r || (default) List only inodes of removed files. This option is short-hand notation for -LZ (see the fine controls section below).
| + | |
| − | |-
| + | |
| − | | -i imgtype || Identify the type of image file, such as raw or split. Raw is the default.
| + | |
| − | |-
| + | |
| − | | -o imgoffset || The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048).
| + | |
| − | |-
| + | |
| − | | -v || Turn on verbose mode, output to stderr.
| + | |
| − | |-
| + | |
| − | | -V || Display Version.
| + | |
| − | |-
| + | |
| − | | image [images] || One (or more if split) disk or partition images whose format is given with ’-i’.
| + | |
| − | |-
| + | |
| − | | start-stop || Examine the specified inode number or number range.
| + | |
| − | |-
| + | |
| − | ! colspan="2"| Fine controls:
| + | |
| − | |-
| + | |
| − | | -a || List only allocated inodes: these belong to files with at least one directory entry in the file system, and to removed files that are still open or executing.
| + | |
| − | |-
| + | |
| − | | -A || List only unallocated inodes: these belong to files that no longer exist.
| + | |
| − | |-
| + | |
| − | | -l || List only inodes with at least one hard link. These belong to files with at least one directory entry in the file system.
| + | |
| − | |-
| + | |
| − | | -L || List only inodes without any hard links. These belong to files that no longer exist, and to removed files that are still open or executing.
| + | |
| − | |-
| + | |
| − | | -z || List only inodes with zero status change time. Presumably, these inodes were never used.
| + | |
| − | |-
| + | |
| − | | -Z || List only inodes with non-zero status change time. Presumably, these belong to files that still exist, or that existed in the past.
| + | |
| − | |}
| + | |
| − | | + | |
| − | | + | |
| − | ===Example===
| + | |
| − | Output Format
| + | |
| − | | + | |
| − | The output format is in time machine format, as described in tm-format(5). The output begins with a two-line header that describes the data origin, and is followed by a one-line header that lists the names of the data attributes that make up the remainder of the output:
| + | |
| − | | + | |
| − | {|
| + | |
| − | !Header || Meaning
| + | |
| − | |-
| + | |
| − | | st_ino || The inode number.
| + | |
| − | |-
| + | |
| − | | st_alloc || Allocation status: ‘a’ for allocated inode, ‘f’ for free inode.
| + | |
| − | |-
| + | |
| − | | st_uid || Owner user ID.
| + | |
| − | |-
| + | |
| − | | st_gid || Owner group ID.
| + | |
| − | |-
| + | |
| − | | st_mtime || UNIX time (seconds) of last file modification.
| + | |
| − | |-
| + | |
| − | | st_atime || UNIX time (seconds) of last file access.
| + | |
| − | |-
| + | |
| − | | st_ctime || UNIX time (seconds) of last inode status change.
| + | |
| − | |-
| + | |
| − | | st_dtime || UNIX time (seconds) of file deletion (LINUX only).
| + | |
| − | |-
| + | |
| − | | st_mode || File type and permissions (octal).
| + | |
| − | |-
| + | |
| − | | st_nlink || Number of hard links.
| + | |
| − | |-
| + | |
| − | | st_size || File size in bytes.
| + | |
| − | |-
| + | |
| − | | st_block0,st_block1 || The first two entries in the direct block address list.
| + | |
| − | |}
| + | |
| − | | + | |
| − | | + | |
| − | ===History===
| + | |
| − | First appeared in The Coroners Toolkit (TCT) 1.0.
| + | |
| − | | + | |
| − | | + | |
| − | ===Author===
| + | |
| − | Wietse Venema
| + | |
| − | IBM T.J. Watson Research
| + | |
| − | P.O. Box 704
| + | |
| − | Yorktown Heights, NY 10598, USA
| + | |
ils lists details about a range of meta data structures in a file system. Its output is in a delimited format that can be further processed.
