Difference between revisions of "Fls"

From SleuthKitWiki
Jump to: navigation, search
(Removed body file format so that it could be its own page.)
(Added more about default output and file types.)
Line 7: Line 7:
  
 
==Output Data==
 
==Output Data==
The '-l' and '-m' arguments to fls cause each line of output to contain several pieces of information. The '-m' argument causes the data to be in the [[body file]] format.  
+
The default output (i.e. if -l or -m are not given) would one line for each file in the directory. An NTFS example is:
  
===Long Format===
+
<code>
 +
r/r 1304-128-1: IO.SYS
 +
</code>
 +
 
 +
The <tt>r/r</tt> value shows the file type.  The first 'r' is the type as saved in the file name data structure and the second 'r' is the type as saved in the metadata structure. For allocated files, these should always be equal.  For deleted files, they could be different if one of the structures was reallocated to a different file type. The types are listed here:
 +
* r: Regular file
 +
* d: Directory
 +
* c: Character device
 +
* b: Block device
 +
* l: Symbolic link
 +
* p: Named FIFO
 +
* s: Shadow
 +
* h: Socket
 +
* w: Whiteout
 +
* v: TSK Virtual file / directory (not a real directory, created by TSK for convenience).
 +
Most entries will be 'r' and 'd'.  The others are Unix-focused.
 +
 
 +
The <tt>1304-128-1</tt> part of the entry shows the [[Metadata Address]] associated with this name.  Because this is an NTFS example, the <tt>-128-1</tt> part exists, which identifies the $Data attribute that this name points to.  Other file systems may have a single number in this field.
 +
 
 +
Finally, the <tt>IO.SYS</tt> part of the entry is the name of the file for this entry.
 +
 
 +
If you use the '-r' option to recursively go into directories, a '+' is added to the front of each entry to show how deep the file is.  '++' means that the entry is two directories deep.
 +
 
 +
If a file is deleted, there will be a '*' between the file type and the metadata address.
 +
 
 +
=== -l format ===
 
The '-l' argument causes the "long" format with more details.  It is tab-delimited with the following fields:
 
The '-l' argument causes the "long" format with more details.  It is tab-delimited with the following fields:
* file type as reported in file name and metadata structure
+
* file type as reported in file name and metadata structure (see above)
* Metadata address
+
* [[Metadata Address]]
 
* name
 
* name
 
* mtime (last modified time)
 
* mtime (last modified time)
Line 18: Line 43:
 
* ctime (last changed time)
 
* ctime (last changed time)
 
* crtime (created time)
 
* crtime (created time)
* size
+
* size (in bytes)
* uid
+
* uid (User ID)
* gid
+
* gid (Group ID)
  
 
Note that the 2.X versions of TSK do not print the created time.
 
Note that the 2.X versions of TSK do not print the created time.
 +
 +
=== -m format ===
 +
The '-m' argument causes the data to be in the [[body file]] format. It is used to make [[timelines]].

Revision as of 13:13, 9 December 2008

Back to Help Documents


fls lists the files and directory names in a file system and can display file names of recently deleted files for the directory using the given inode.

Output Data

The default output (i.e. if -l or -m are not given) would one line for each file in the directory. An NTFS example is:

r/r 1304-128-1: IO.SYS

The r/r value shows the file type. The first 'r' is the type as saved in the file name data structure and the second 'r' is the type as saved in the metadata structure. For allocated files, these should always be equal. For deleted files, they could be different if one of the structures was reallocated to a different file type. The types are listed here:

  • r: Regular file
  • d: Directory
  • c: Character device
  • b: Block device
  • l: Symbolic link
  • p: Named FIFO
  • s: Shadow
  • h: Socket
  • w: Whiteout
  • v: TSK Virtual file / directory (not a real directory, created by TSK for convenience).

Most entries will be 'r' and 'd'. The others are Unix-focused.

The 1304-128-1 part of the entry shows the Metadata Address associated with this name. Because this is an NTFS example, the -128-1 part exists, which identifies the $Data attribute that this name points to. Other file systems may have a single number in this field.

Finally, the IO.SYS part of the entry is the name of the file for this entry.

If you use the '-r' option to recursively go into directories, a '+' is added to the front of each entry to show how deep the file is. '++' means that the entry is two directories deep.

If a file is deleted, there will be a '*' between the file type and the metadata address.

-l format

The '-l' argument causes the "long" format with more details. It is tab-delimited with the following fields:

  • file type as reported in file name and metadata structure (see above)
  • Metadata Address
  • name
  • mtime (last modified time)
  • atime (last accessed time)
  • ctime (last changed time)
  • crtime (created time)
  • size (in bytes)
  • uid (User ID)
  • gid (Group ID)

Note that the 2.X versions of TSK do not print the created time.

-m format

The '-m' argument causes the data to be in the body file format. It is used to make timelines.