1FLS(1) General Commands Manual FLS(1)
2
6 fls - List file and directory names in a disk image.
7
9 fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i
10 imgtype ] [-o imgoffset ] [-b dev_sector_size] image [images] [ inode ]
11
13 fls lists the files and directory names in the image and can display
14 file names of recently deleted files for the directory using the given
15 inode. If the inode argument is not given, the inode value for the
16 root directory is used. For example, on an NTFS file system it would be
17 5 and on a Ext3 file system it would be 2.
18 The arguments are as follows:
20 -a Display the "." and ".." directory entries (by default it does
22 not)
23 -d Display deleted entries only
25 -D Display directory entries only
27 -f fstype
29 The type of file system. Use '-f list' to list the supported
30 file system types. If not given, autodetection methods are
31 used.
32 -F Display file (all non-directory) entries only.
34 -l Display file details in long format. The following contents are
36 displayed:
37 file_type inode file_name mod_time acc_time chg_time cre_time
39 size uid gid
40 -m mnt Display files in time machine format so that a timeline can be
42 created with mactime(1). The string given as mnt will be
43 prepended to the file names as the mounting point (for example
44 /usr).
45 -p Display the full path for each entry. By default it denotes the
47 directory depth on recursive runs with a '+' sign.
48 -r Recursively display directories. This will not follow deleted
50 directories, because it can't.
51 -s seconds
53 The time skew of the original system in seconds. For example,
54 if the original system was 100 seconds slow, this value would be
55 -100. This is only used if -l or -m are given.
56 -i imgtype
58 Identify the type of image file, such as raw or split. Use '-i
59 list' to list the supported types. If not given, autodetection
60 methods are used.
61 -o imgoffset
63 The sector offset where the file system starts in the image.
64 -b dev_sector_size
66 The size, in bytes, of the underlying device sectors. If not
67 given, the value in the image format is used (if it exists) or
68 512-bytes is assumed.
69 -u Display undeleted entries only
71 -v Verbose output to stderr.
73 -V Display version.
75 -z zone
77 The ASCII string of the time zone of the original system. For
78 example, EST or GMT. These strings must be defined by your
79 operating system and may vary.
80 image [images]
82 One (or more if split) disk or partition images whose format is
83 given with '-i'.
84 Once the inode has been determined, the file can be recovered using
87 icat(1) from The Coroners Toolkit. The amount of information recovered
88 from deleted file entries varies depending on the system. For example,
89 on Linux, a recently deleted file can be easily recovered, while in
90 Solaris not even the inode can be determined. If you just want to find
91 what file name belongs to an inode, it is easier to use ffind(1).
92
95 To get a list of all files and directories in an image use:
96 # fls -r image 2
98 or just (if no inode is specified, the root directory inode is
100 used):
101 # fls -r image
103 To get the full path of deleted files in a given directory:
105 # fls -d -p image 29
107 To get the mactime output do:
109 # fls -m /usr/local image 2
111 If you have a disk image and the file system starts in sector 63, use:
113 # fls -o 63 disk-img.dd
115 If you have a disk image that is split use:
117 # fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd
119
123 ffind(1), icat(1)
124
127 Brian Carrier <carrier at sleuthkit dot org>
128 Send documentation updates to <doc-updates at sleuthkit dot org>
130 FLS(1)