1IFIND(1)                    General Commands Manual                   IFIND(1)
2
3
4

NAME

6       ifind  -  Find  the meta-data structure that has allocated a given disk
7       unit or file name.
8

SYNOPSIS

10       ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p  par_inode]  [-z
11       ZONE] [-i imgtype] [-o imgoffset] [-b dev_sector_size] image [images]
12

DESCRIPTION

14       ifind finds the meta-data structure that has data_unit allocated a data
15       unit or has a given file name.  In some cases any of the structures can
16       be unallocated and this will still find the results.
17
18

ARGUMENTS

20       There  are  several  required  and  optional arguments.  The image file
21       names must be specified each time:
22
23       image [images]
24              The disk or partition image to read, whose format is given  with
25              '-i'.   Multiple  image  file names can be given if the image is
26              split into multiple segments.  If only one image file is  given,
27              and  its  name is the first in a sequence (e.g., as indicated by
28              ending in '.001'), subsequent image segments  will  be  included
29              automatically.
30
31
32       You  must  also specify what you are looking for and include one of the
33       following:
34
35       -d data_unit
36              Finds the meta data structure that has allocated  a  given  data
37              unit (block, cluster, etc.)
38
39
40       -n file
41              Finds  the  meta  data structure that is pointed to by the given
42              file name.
43
44
45       -p par_inode
46              Finds the unallocated MFT entries in an NTFS image that have the
47              given inode as the parent.  Can be used with '-l and -z'.
48
49
50       There are also several optional arguments:
51
52       -a     Find  all  meta-data  structures (only works when looking with a
53              data_unit).
54
55       -f fstype
56              Specify the file system type.  Use '-f list' to  list  the  sup‐
57              ported  file  system types.  If not given, autodetection methods
58              are used.
59
60       -l     List the details of each file found with '-p', like 'fls -l'.
61
62       -i imgtype
63              Identify the type of image file, such as raw.  Use '-i list'  to
64              list  the  supported types.  If not given, autodetection methods
65              are used.
66
67       -o imgoffset
68              The sector offset where the file system starts in the image.
69
70       -b dev_sector_size
71              The size, in bytes, of the underlying device  sectors.   If  not
72              given,  the  value in the image format is used (if it exists) or
73              512-bytes is assumed.
74
75       -v     Verbose output to stderr.
76
77       -V     Display version.
78
79       -z ZONE
80              If '-p -l' were given, this will set the timezone for  the  cor‐
81              rect times.
82
83

EXAMPLES

85       # ifind -f fat -d 456 fat-img.dd
86
87       # ifind -f linux-ext2 -n "/etc/" linux-img.dd
88
89       # ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
90
91

AUTHOR

93       Brian Carrier <carrier at sleuthkit dot org>
94
95       Send documentation updates to <doc-updates at sleuthkit dot org>
96
97
98
99                                                                      IFIND(1)
Impressum