File: fls.1

package info (click to toggle)
sleuthkit 4.6.5-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 39,152 kB
  • sloc: ansic: 171,812; cpp: 44,216; sh: 31,364; java: 17,674; makefile: 1,241; xml: 838; perl: 797; python: 707; sed: 16
file content (131 lines) | stat: -rw-r--r-- 3,982 bytes parent folder | download | duplicates (11)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
.TH FLS 1 
.SH NAME
fls \- List file and directory names in a disk image.
.SH SYNOPSIS
.B fls [-adDFlpruvV] [-m
.I mnt
.B ] [-z
.I zone
.B ] [-f
.I fstype
.B ] [-s
.I seconds
.B ] [-i 
.I imgtype
.B ] [-o 
.I imgoffset
.B ] [-b dev_sector_size]  
.I image [images] 
.B [
.I inode
.B ]
.SH DESCRIPTION
.B fls
lists the files and directory names in the
.I image
and can display file names of recently deleted files for the directory
using the given
.I inode.
If the inode argument is not given, the inode value for the root directory is used. For example, on an NTFS file system it would be 5 and on a Ext3 file system it would be 2. 

The arguments are as follows:
.IP -a
Display the "." and ".." directory entries (by default it does not)
.IP -d
Display deleted entries only
.IP -D  
Display directory entries only
.IP "-f fstype"
The type of file system.  
Use '\-f list' to list the supported file system types.
If not given, autodetection methods are used.
.IP -F  
Display file (all non-directory) entries only.  
.IP -l  
Display file details in long format.  The following contents are displayed:

file_type inode file_name mod_time acc_time chg_time cre_time size uid gid
.IP "-m mnt"
.RB "Display files in time machine format so that a timeline can be \
    created with mactime(1).  
The string given as 
.I mnt
will be prepended to the file names as the mounting point 
(for example /usr).  
.IP -p  
Display the full path for each entry.  By default it denotes
the directory depth on recursive runs with a '+' sign. 
.IP -r  
Recursively display directories.  This will not
follow deleted directories, because it can't. 
.IP "-s seconds"
The time skew of the original system in seconds.  For example, if the
original system was 100 seconds slow, this value would be \-100.  This
is only used if \-l or \-m are given.
.IP "-i imgtype"
Identify the type of image file, such as raw.
Use '\-i list' to list the supported types.
If not given, autodetection methods are used.
.IP "-o imgoffset"
The sector offset where the file system starts in the image.  
.IP "-b dev_sector_size"
The size, in bytes, of the underlying device sectors.  If not given, the value in the image format is used (if it exists) or 512-bytes is assumed.
.IP -u  
Display undeleted entries only
.IP -v
Verbose output to stderr.
.IP -V
Display version.
.IP "-z zone"
The ASCII string of the time zone of the original system.  For
example, EST or GMT.  These strings must be defined by your operating
system and may vary.
.IP "image [images]"
The disk or partition image to read, whose format is given with '\-i'.
Multiple image file names can be given if the image is split into multiple segments.
If only one image file is given, and its name is the first in a sequence (e.g., as indicated by ending in '.001'), subsequent image segments will be included automatically.

.PP
Once the inode has been determined, the file can be recovered using
.BR icat(1)
from The Coroners Toolkit.  The amount of information recovered from
deleted file entries varies depending on the system.  For example,
on Linux, a recently deleted file can be easily recovered, while in
Solaris not even the inode can be determined.  If you just want to
find what file name belongs to an inode, it is easier to use
.BR ffind(1).

.SH EXAMPLES
To get a list of all files and directories in an image use:

	# fls \-r image 2

	or just (if no inode is specified, the root directory inode is used):

	# fls \-r image

To get the full path of deleted files in a given directory:

	# fls \-d \-p image 29

To get the mactime output do:

	# fls \-m /usr/local image 2

If you have a disk image and the file system starts in sector 63, use:

	# fls \-o 63 disk-img.dd

If you have a disk image that is split use:

	# fls \-i "split" \-o 63 disk-1.dd disk-2.dd disk-3.dd


.SH "SEE ALSO"
.BR ffind (1),
.BR icat (1)

.SH AUTHOR
Brian Carrier <carrier at sleuthkit dot org>

Send documentation updates to <doc-updates at sleuthkit dot org>