1ILS(1)                      General Commands Manual                     ILS(1)
2
3
4

NAME

6       ils - List inode information
7

SYNOPSIS

9       ils  [-emOpvV] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ]
10       [-b dev_sector_size] image [images] [start-stop]
11
12       ils [-aAlLvVzZ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o  imgoffset
13       ] image [images] [start-stop]
14

DESCRIPTION

16       ils  opens  the named image(s) and lists inode information. By default,
17       ils lists only the inodes of removed files.
18
19       Arguments:
20
21       -e     List every inode in the file system.
22
23       -f fstype
24              Specifies the file system type.  Use '-f list' to list the  sup‐
25              ported  file  system types.  If not given, autodetection methods
26              are used.
27
28       -s seconds
29              The time skew of the original system in seconds.   For  example,
30              if the original system was 100 seconds slow, this value would be
31              -100.
32
33       -m     Display the inode details in the format that the mactime program
34              reads (replaces the ils2mac script from TCT)
35
36       -O     List only inodes of removed files that are still open or execut‐
37              ing.  This option is short-hand notation for -aL "(see the  fine
38              controls section below). (this used to be -o).
39
40       -p     Display orphan inodes (unallocated with no file name)
41
42       -r     (default)  List  only  inodes  of  removed files. This option is
43              short-hand notation for  -LZ  (see  the  fine  controls  section
44              below).
45
46       -i imgtype
47              Identify  the type of image file, such as raw.  Use '-i list' to
48              list the supported types.  If not given,  autodetection  methods
49              are used.
50
51       -o imgoffset
52              The sector offset where the file system starts in the image.
53
54       -b dev_sector_size
55              The  size,  in  bytes, of the underlying device sectors.  If not
56              given, the value in the image format is used (if it  exists)  or
57              512-bytes is assumed.
58
59       -v     Turn on verbose mode, output to stderr.
60
61       -V     Display Version.
62
63       image [images]
64              The  disk or partition image to read, whose format is given with
65              '-i'.  Multiple image file names can be given if  the  image  is
66              split  into multiple segments.  If only one image file is given,
67              and its name is the first in a sequence (e.g., as  indicated  by
68              ending  in  '.001'),  subsequent image segments will be included
69              automatically.
70
71       start-stop
72              Examine the specified inode number or number range.
73
74       Fine controls:
75
76       -a     List only allocated inodes: these belong to files with at  least
77              one  directory  entry  in  the file system, and to removed files
78              that are still open or executing.
79
80       -A     List only unallocated inodes: these  belong  to  files  that  no
81              longer exist.
82
83       -l     List  only  inodes  with at least one hard link. These belong to
84              files with at least one directory entry in the file system.
85
86       -L     List only inodes without any hard links. These belong  to  files
87              that  no  longer exist, and to removed files that are still open
88              or executing.
89
90       -z     List only inodes that were likely to have not been used.
91
92       -Z     List only inodes that were likely to be used.
93
94       The output format is in time machine format.  The output begins with  a
95       two-line  header  that  describes the data origin, and is followed by a
96       one-line header that lists the names of the data attributes  that  make
97       up the remainder of the output:
98
99       st_ino The inode number.
100
101       st_alloc
102              Allocation status: `a' for allocated inode, `f' for free inode.
103
104       st_uid Owner user ID.
105
106       st_gid Owner group ID.
107
108       st_mtime
109              UNIX time (seconds) of last file modification.
110
111       st_atime
112              UNIX time (seconds) of last file access.
113
114       st_ctime
115              UNIX time (seconds) of last inode status change.
116
117       st_dtime
118              UNIX time (seconds) of file deletion (LINUX only).
119
120       st_mode
121              File type and permissions (octal).
122
123       st_nlink
124              Number of hard links.
125
126       st_size
127              File size in bytes.
128
129       st_block0,st_block1
130              The first two entries in the direct block address list.
131

SEE ALSO

133       mactime(1)
134

LICENSE

136       This software is distributed under the IBM Public License.
137

HISTORY

139       First appeared in The Coroners Toolkit (TCT) 1.0.
140

AUTHOR(S)

142       Wietse  Venema  IBM T.J. Watson Research P.O. Box 704 Yorktown Heights,
143       NY 10598, USA
144
145       This version is maintained by Brian Carrier (carrier at  sleuthkit  dot
146       org)
147
148       Send documentation updates to <doc-updates at sleuthkit dot org>
149
150
151
152                                                                        ILS(1)
Impressum