1FLS(1) General Commands Manual FLS(1)
2
6 fls - List file and directory names in a disk image.
7
9 fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i
10 imgtype ] [-o imgoffset ] [-b dev_sector_size] image [images] [ inode ]
11
13 fls lists the files and directory names in the image and can display
14 file names of recently deleted files for the directory using the given
15 inode. If the inode argument is not given, the inode value for the
16 root directory is used. For example, on an NTFS file system it would be
17 5 and on a Ext3 file system it would be 2.
18 The arguments are as follows:
20 -a Display the "." and ".." directory entries (by default it does
22 not)
23 -d Display deleted entries only
25 -D Display directory entries only
27 -f fstype
29 The type of file system. Use '-f list' to list the supported
30 file system types. If not given, autodetection methods are
31 used.
32 -F Display file (all non-directory) entries only.
34 -l Display file details in long format. The following contents are
36 displayed:
37 file_type inode file_name mod_time acc_time chg_time cre_time
39 size uid gid
40 -m mnt Display files in time machine format so that a timeline can be
42 created with mactime(1). The string given as mnt will be
43 prepended to the file names as the mounting point (for example
44 /usr).
45 -p Display the full path for each entry. By default it denotes the
47 directory depth on recursive runs with a '+' sign.
48 -r Recursively display directories. This will not follow deleted
50 directories, because it can't.
51 -s seconds
53 The time skew of the original system in seconds. For example,
54 if the original system was 100 seconds slow, this value would be
55 -100. This is only used if -l or -m are given.
56 -i imgtype
58 Identify the type of image file, such as raw. Use '-i list' to
59 list the supported types. If not given, autodetection methods
60 are used.
61 -o imgoffset
63 The sector offset where the file system starts in the image.
64 -b dev_sector_size
66 The size, in bytes, of the underlying device sectors. If not
67 given, the value in the image format is used (if it exists) or
68 512-bytes is assumed.
69 -u Display undeleted entries only
71 -v Verbose output to stderr.
73 -V Display version.
75 -z zone
77 The ASCII string of the time zone of the original system. For
78 example, EST or GMT. These strings must be defined by your
79 operating system and may vary.
80 image [images]
82 The disk or partition image to read, whose format is given with
83 '-i'. Multiple image file names can be given if the image is
84 split into multiple segments. If only one image file is given,
85 and its name is the first in a sequence (e.g., as indicated by
86 ending in '.001'), subsequent image segments will be included
87 automatically.
88 Once the inode has been determined, the file can be recovered using
91 icat(1) from The Coroners Toolkit. The amount of information recovered
92 from deleted file entries varies depending on the system. For example,
93 on Linux, a recently deleted file can be easily recovered, while in
94 Solaris not even the inode can be determined. If you just want to find
95 what file name belongs to an inode, it is easier to use ffind(1).
96
99 To get a list of all files and directories in an image use:
100 # fls -r image 2
102 or just (if no inode is specified, the root directory inode is
104 used):
105 # fls -r image
107 To get the full path of deleted files in a given directory:
109 # fls -d -p image 29
111 To get the mactime output do:
113 # fls -m /usr/local image 2
115 If you have a disk image and the file system starts in sector 63, use:
117 # fls -o 63 disk-img.dd
119 If you have a disk image that is split use:
121 # fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd
123
127 ffind(1), icat(1)
128
131 Brian Carrier <carrier at sleuthkit dot org>
132 Send documentation updates to <doc-updates at sleuthkit dot org>
134 FLS(1)