Ifind
From SleuthKitWiki
Version 2.09 Man Page
NAME
ifind - Find the meta-data structure that has allocated a given disk
unit.
SYNOPSIS
ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p par_inode] [-z
ZONE] [-i imgtype] [-o imgoffset] image [images]
DESCRIPTION
ifind finds the meta-data structure that has data_unit allocated a data
unit or has a given file name. In some cases any of the structures can
be unallocated and this will still find the results.
There are several required and optional arguments. The image file
names must be specified each time:
image [images]
One (or more if split) disk or partition images whose format is
given with ’-i’..PP
You must also specify what you are looking for and include one
of the following:
-d data_unit
Finds the meta data structure that has allocated a given data
unit (block, cluster, etc.)
-n file
Finds the meta data structure that is pointed to by the given
file name.
-p par_inode
Finds the unallocated MFT entries in an NTFS image that have the
given inode as the parent. Can be used with ’-l and -z’.
There are also several optional arguments:
-a Find all meta-data structures (only works when looking with a
data_unit).
-f fstype
Specify the file system type. Use the -? argument for list of
supported types. If not given, the default type for the plat-
form is used.
-l List the details of each file found with ’-p’, like ’fls -l’.
-i imgtype
Identify the type of image file, such as raw or split. Raw is
the default.
-o imgoffset
The sector offset where the file system starts in the image.
Non-512 byte sectors can be specified using ’@’ (32@2048).
-v Verbose output to stderr.
-V Display version.
-z If ’-p -l’ were given, this will set the timezone for the cor-
rect times.
EXAMPLES
# ifind -f fat -d 456 fat-img.dd
# ifind -f linux-ext2 -n "/etc/" linux-img.dd
# ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
SEE ALSO
dd(1),
HISTORY
ifind first appeared in TCTUTILs v1.0 as find_inode.
AUTHOR
Brian Carrier <carrier@sleuthkit.org>
