Fls

From SleuthKitWiki
Revision as of 12:24, 14 September 2008 by Dhawkins (Talk | contribs)

Jump to: navigation, search

Back to Help Documents


fls lists the files and directory names in a file system and can display file names of recently deleted files for the directory using the given inode.

Output Types:

Mac-time Output

The Mac-time Output format (option "-m mnt", where 'mnt' will be pre-pended to the filepath/filename) will produce a pipe ("|") delimited output. The fields produced are as follows: 

MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links \n
| UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks

For example: 

fls -m "/" -o 1 -i raw imageFile.dd

Produces: 

0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0

Notes:

Times reported by fls -m are in UNIX time format.

Retrieved from "https://wiki.sleuthkit.org/index.php?title=Fls&oldid=231"