Difference between revisions of "Ifind"
From SleuthKitWiki
(New page: Version 2.09 Man Page NAME ifind - Find the meta-data structure that has allocated a given disk unit. SYNOPSIS ifind [-avVl] [-f fstype] [-d data_unit] [-n file] ...) |
m (Reformatted) |
||
| Line 1: | Line 1: | ||
| − | + | Back to [[Help Documents]] | |
| − | + | ==ifind== | |
| − | + | Version 2.09 | |
| − | + | ||
| − | + | ===Purpose=== | |
| − | + | Finds the meta-data structure that has data_unit allocated a data unit or has a given file name. In some cases any of the structures can be unallocated and this will still find the results. | |
| − | + | <br />There are several required and optional arguments. The image file names must be specified each time: | |
| − | + | ===Usage=== | |
| − | + | ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p par_inode] [-z ZONE] [-i imgtype] [-o imgoffset] image [images] | |
| − | + | ||
| − | + | ||
| − | + | ===Options=== | |
| − | + | ||
| − | + | {| border="1" cellpadding="5" | |
| − | + | !Switch | |
| − | + | !Purpose | |
| + | |- | ||
| + | | image [images] || One (or more if split) disk or partition images whose format is given with ’-i’..PP | ||
| + | You must also specify what you are looking for and include one of the following: | ||
| + | |- | ||
| + | | -d data_unit || Finds the meta data structure that has allocated a given data unit (block, cluster, etc.) | ||
| + | |- | ||
| + | | -n file || Finds the meta data structure that is pointed to by the given file name. | ||
| + | |- | ||
| + | | -p par_inode || Finds the unallocated MFT entries in an NTFS image that have the given inode as the parent. Can be used with ’-l and -z’. | ||
| + | |- | ||
| + | ! colspan="2"|''Optional Arguments'' | ||
| + | |- | ||
| + | | -a || Find all meta-data structures (only works when looking with a data_unit). | ||
| + | |- | ||
| + | | -f fstype || Specify the file system type. Use the -? argument for list of supported types. If not given, the default type for the platform is used. | ||
| + | |- | ||
| + | | -l || List the details of each file found with ’-p’, like ’fls -l’. | ||
| + | |- | ||
| + | | -i imgtype || Identify the type of image file, such as raw or split. Raw is the default. | ||
| + | |- | ||
| + | | -o imgoffset || The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). | ||
| + | |- | ||
| + | | -v || Verbose output to stderr. | ||
| + | |- | ||
| + | | -V || Display version. | ||
| + | |- | ||
| + | | -z || If ’-p -l’ were given, this will set the timezone for the correct times. | ||
| + | |} | ||
| − | + | ===Example=== | |
| − | + | # ifind -f fat -d 456 fat-img.dd | |
| + | # ifind -f linux-ext2 -n "/etc/" linux-img.dd | ||
| + | # ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd | ||
| − | + | ===History=== | |
| − | + | ifind first appeared in TCTUTILs v1.0 as find_inode. | |
| − | + | ||
| − | + | ===Author=== | |
| − | + | Brian Carrier <carrier@sleuthkit.org> | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
Revision as of 16:31, 17 November 2007
Back to Help Documents
ifind
Version 2.09
Purpose
Finds the meta-data structure that has data_unit allocated a data unit or has a given file name. In some cases any of the structures can be unallocated and this will still find the results.
There are several required and optional arguments. The image file names must be specified each time:
Usage
ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p par_inode] [-z ZONE] [-i imgtype] [-o imgoffset] image [images]
Options
| Switch | Purpose |
|---|---|
| image [images] | One (or more if split) disk or partition images whose format is given with ’-i’..PP
You must also specify what you are looking for and include one of the following: |
| -d data_unit | Finds the meta data structure that has allocated a given data unit (block, cluster, etc.) |
| -n file | Finds the meta data structure that is pointed to by the given file name. |
| -p par_inode | Finds the unallocated MFT entries in an NTFS image that have the given inode as the parent. Can be used with ’-l and -z’. |
| Optional Arguments | |
| -a | Find all meta-data structures (only works when looking with a data_unit). |
| -f fstype | Specify the file system type. Use the -? argument for list of supported types. If not given, the default type for the platform is used. |
| -l | List the details of each file found with ’-p’, like ’fls -l’. |
| -i imgtype | Identify the type of image file, such as raw or split. Raw is the default. |
| -o imgoffset | The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). |
| -v | Verbose output to stderr. |
| -V | Display version. |
| -z | If ’-p -l’ were given, this will set the timezone for the correct times. |
Example
# ifind -f fat -d 456 fat-img.dd # ifind -f linux-ext2 -n "/etc/" linux-img.dd # ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
History
ifind first appeared in TCTUTILs v1.0 as find_inode.
Author
Brian Carrier <carrier@sleuthkit.org>
