1ILS(1) General Commands Manual ILS(1)
2
6 ils - List inode information
7
9 ils [-emOpvV] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ]
10 [-b dev_sector_size] image [images] [start-stop]
11 ils [-aAlLvVzZ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset
13 ] image [images] [start-stop]
14
16 ils opens the named image(s) and lists inode information. By default,
17 ils lists only the inodes of removed files.
18 Arguments:
20 -e List every inode in the file system.
22 -f fstype
24 Specifies the file system type. Use '-f list' to list the sup‐
25 ported file system types. If not given, autodetection methods
26 are used.
27 -s seconds
29 The time skew of the original system in seconds. For example,
30 if the original system was 100 seconds slow, this value would be
31 -100.
32 -m Display the inode details in the format that the mactime program
34 reads (replaces the ils2mac script from TCT)
35 -O List only inodes of removed files that are still open or execut‐
37 ing. This option is short-hand notation for -aL "(see the fine
38 controls section below). (this used to be -o).
39 -p Display orphan inodes (unallocated with no file name)
41 -r (default) List only inodes of removed files. This option is
43 short-hand notation for -LZ (see the fine controls section
44 below).
45 -i imgtype
47 Identify the type of image file, such as raw or split. Use '-i
48 list' to list the supported types. If not given, autodetection
49 methods are used.
50 -o imgoffset
52 The sector offset where the file system starts in the image.
53 -b dev_sector_size
55 The size, in bytes, of the underlying device sectors. If not
56 given, the value in the image format is used (if it exists) or
57 512-bytes is assumed.
58 -v Turn on verbose mode, output to stderr.
60 -V Display Version.
62 image [images]
64 One (or more if split) disk or partition images whose format is
65 given with '-i'.
66 start-stop
68 Examine the specified inode number or number range.
69 Fine controls:
71 -a List only allocated inodes: these belong to files with at least
73 one directory entry in the file system, and to removed files
74 that are still open or executing.
75 -A List only unallocated inodes: these belong to files that no
77 longer exist.
78 -l List only inodes with at least one hard link. These belong to
80 files with at least one directory entry in the file system.
81 -L List only inodes without any hard links. These belong to files
83 that no longer exist, and to removed files that are still open
84 or executing.
85 -z List only inodes with zero status change time. Presumably, these
87 inodes were never used.
88 -Z List only inodes with non-zero status change time. Presumably,
90 these belong to files that still exist, or that existed in the
91 past.
92 The output format is in time machine format. The output begins with a
94 two-line header that describes the data origin, and is followed by a
95 one-line header that lists the names of the data attributes that make
96 up the remainder of the output:
97 st_ino The inode number.
99 st_alloc
101 Allocation status: `a' for allocated inode, `f' for free inode.
102 st_uid Owner user ID.
104 st_gid Owner group ID.
106 st_mtime
108 UNIX time (seconds) of last file modification.
109 st_atime
111 UNIX time (seconds) of last file access.
112 st_ctime
114 UNIX time (seconds) of last inode status change.
115 st_dtime
117 UNIX time (seconds) of file deletion (LINUX only).
118 st_mode
120 File type and permissions (octal).
121 st_nlink
123 Number of hard links.
124 st_size
126 File size in bytes.
127 st_block0,st_block1
129 The first two entries in the direct block address list.
130
132 mactime(1)
133
135 This software is distributed under the IBM Public License.
136
138 First appeared in The Coroners Toolkit (TCT) 1.0.
139
141 Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights,
142 NY 10598, USA
143 This version is maintained by Brian Carrier (carrier at sleuthkit dot
145 org)
146 Send documentation updates to <doc-updates at sleuthkit dot org>
148 ILS(1)