Difference between revisions of "Fls"
From SleuthKitWiki
(Added link to man page.) |
m (Updated to include fls -m output format.) |
||
| Line 5: | Line 5: | ||
* [http://www.sleuthkit.org/sleuthkit/man/fls.html Automatically Updated man Page] | * [http://www.sleuthkit.org/sleuthkit/man/fls.html Automatically Updated man Page] | ||
| + | |||
| + | ==Output Types:== | ||
| + | |||
| + | ===Mac-time Output=== | ||
| + | The Mac-time Output format (option "-m mnt", where 'mnt' will be pre-pended to the filepath/filename) will produce a pipe ("|") delimited output. The fields produced are as follows: | ||
| + | |||
| + | MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links \n | ||
| + | | UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks | ||
| + | |||
| + | For example: | ||
| + | fls -m "/" -o 1 -i raw imageFile.dd | ||
| + | Produces: | ||
| + | 0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0 | ||
| + | Notes: | ||
| + | |||
| + | Times reported by fls -m are in UNIX time format. | ||
Revision as of 12:24, 14 September 2008
Back to Help Documents
fls lists the files and directory names in a file system and can display file names of recently deleted files for the directory using the given inode.
Output Types:
Mac-time Output
The Mac-time Output format (option "-m mnt", where 'mnt' will be pre-pended to the filepath/filename) will produce a pipe ("|") delimited output. The fields produced are as follows:
MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links \n | UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks
For example:
fls -m "/" -o 1 -i raw imageFile.dd
Produces:
0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0
Notes:
Times reported by fls -m are in UNIX time format.
