Ffind
From SleuthKitWiki
Version 2.09 Man Page
NAME
ffind - Find the file or directory name that is using a given inode
SYNOPSIS
ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode
DESCRIPTION
ffind finds the names of files or directories that use inode on image.
By default it only will only return the name it finds. This will also
show the names of deleted file names in some systems such as Linux and
OpenBSD.
The arguments are as follows:
image [images]
One (or more if split) disk or partition images whose format is
given with ’-i’.
inode Integer of inode to find.
The optional arguments are:
-a Find all occurrences of inode.
-d Find deleted entries only.
-f fstype
Identify the File System type of the image. Use the -? argument
for a list of supported file system types. If not given, the
default type for the platform is used.
-u Find undeleted entries only.
-i imgtype
Identify the type of image file, such as raw or split. Raw is
the default.
-o imgoffset
The sector offset where the file system starts in the image.
Non-512 byte sectors can be specified using ’@’ (32@2048).
-v Verbose output to stderr.
-V Display version.
This program searches all directory entries looking for the given
inode. This is useful when an inode has been identified from a disk
unit address using find_inode(1).
EXAMPLE
# ffind -a image 212
SEE ALSO
dd(1), ifind(1)
HISTORY
ffind first appeared in TCTUTILs v1.0 as find_file.
AUTHOR
Brian Carrier <carrier@sleuthkit.org>
