Fls

From SleuthKitWiki
Revision as of 10:20, 20 September 2008 by Carrier (Talk | contribs)

Jump to: navigation, search

Back to Help Documents


fls lists the files and directory names in a file system and can display file names of recently deleted files for the directory using the given inode.

Output Data

The '-l' and '-m' arguments to fls cause each line of output to contain several pieces of information. This section outlines what each field means.

Mactime Format

The Mactime output format (option "-m mnt", where 'mnt' will be pre-pended to the filepath/filename) will produce a pipe ("|") delimited output. The format in 3.X versions of fls are different from the outputs of 1.X and 2.X versions.

The 3.X output has the following fields:

MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime

The 2.X output has the following fields:

MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links
| UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks

For example:

fls -m "/" -o 1 -i raw imageFile.dd 

Produces (in 2.X):

0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0

Notes:

Times reported by fls -m are in UNIX time format.

Long Format

The '-l' argument causes the "long" format with more details. It is tab-delimited with the following fields:

  • file type as reported in file name and metadata structure
  • Metadata address
  • name
  • mtime (last modified time)
  • atime (last accessed time)
  • ctime (last changed time)
  • crtime (created time)
  • size
  • uid
  • gid

Note that the 2.X versions of TSK do not print the created time.