ifind(1) - f14

1IFIND(1)                    General Commands Manual                   IFIND(1)
2
3
4

NAME

6       ifind  -  Find  the meta-data structure that has allocated a given disk
7       unit or file name.
8

SYNOPSIS

10       ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p  par_inode]  [-z
11       ZONE] [-i imgtype] [-o imgoffset] [-b dev_sector_size] image [images]
12

DESCRIPTION

14       ifind finds the meta-data structure that has data_unit allocated a data
15       unit or has a given file name.  In some cases any of the structures can
16       be unallocated and this will still find the results.
17
18

ARGUMENTS

20       There  are  several  required  and  optional arguments.  The image file
21       names must be specified each time:
22
23       image [images]
24              One (or more if split) disk or partition images whose format  is
25              given with '-i'..PP
26
27              You  must  also specify what you are looking for and include one
28              of the following:
29
30       -d data_unit
31              Finds the meta data structure that has allocated  a  given  data
32              unit (block, cluster, etc.)
33
34
35       -n file
36              Finds  the  meta  data structure that is pointed to by the given
37              file name.
38
39
40       -p par_inode
41              Finds the unallocated MFT entries in an NTFS image that have the
42              given inode as the parent.  Can be used with '-l and -z'.
43
44
45       There are also several optional arguments:
46
47       -a     Find  all  meta-data  structures (only works when looking with a
48              data_unit).
49
50       -f fstype
51              Specify the file system type.  Use '-f list' to  list  the  sup‐
52              ported  file  system types.  If not given, autodetection methods
53              are used.
54
55       -l     List the details of each file found with '-p', like 'fls -l'.
56
57       -i imgtype
58              Identify the type of image file, such as raw or split.  Use  '-i
59              list'  to list the supported types.  If not given, autodetection
60              methods are used.
61
62       -o imgoffset
63              The sector offset where the file system starts in the image.
64
65       -b dev_sector_size
66              The size, in bytes, of the underlying device  sectors.   If  not
67              given,  the  value in the image format is used (if it exists) or
68              512-bytes is assumed.
69
70       -v     Verbose output to stderr.
71
72       -V     Display version.
73
74       -z ZONE
75              If '-p -l' were given, this will set the timezone for  the  cor‐
76              rect times.
77
78

EXAMPLES

80       # ifind -f fat -d 456 fat-img.dd
81
82       # ifind -f linux-ext2 -n "/etc/" linux-img.dd
83
84       # ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
85
86

AUTHOR

88       Brian Carrier <carrier at sleuthkit dot org>
89
90       Send documentation updates to <doc-updates at sleuthkit dot org>
91
92
93
94                                                                      IFIND(1)