1FLS(1)                      General Commands Manual                     FLS(1)
2
3
4

NAME

6       fls - List file and directory names in a disk image.
7

SYNOPSIS

9       fls  [-adDFlpruvV]  [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i
10       imgtype ] [-o imgoffset ] [-b dev_sector_size] image [images] [ inode ]
11

DESCRIPTION

13       fls lists the files and directory names in the image  and  can  display
14       file  names of recently deleted files for the directory using the given
15       inode.  If the inode argument is not given, the  inode  value  for  the
16       root directory is used. For example, on an NTFS file system it would be
17       5 and on a Ext3 file system it would be 2.
18
19       The arguments are as follows:
20
21       -a     Display the "." and ".." directory entries (by default  it  does
22              not)
23
24       -d     Display deleted entries only
25
26       -D     Display directory entries only
27
28       -f fstype
29              The  type  of  file system.  Use '-f list' to list the supported
30              file system types.  If  not  given,  autodetection  methods  are
31              used.
32
33       -F     Display file (all non-directory) entries only.
34
35       -l     Display file details in long format.  The following contents are
36              displayed:
37
38              file_type inode file_name mod_time  acc_time  chg_time  cre_time
39              size uid gid
40
41       -m mnt Display  files  in time machine format so that a timeline can be
42              created with mactime(1).   The  string  given  as  mnt  will  be
43              prepended  to  the file names as the mounting point (for example
44              /usr).
45
46       -p     Display the full path for each entry.  By default it denotes the
47              directory depth on recursive runs with a '+' sign.
48
49       -r     Recursively  display  directories.  This will not follow deleted
50              directories, because it can't.
51
52       -s seconds
53              The time skew of the original system in seconds.   For  example,
54              if the original system was 100 seconds slow, this value would be
55              -100.  This is only used if -l or -m are given.
56
57       -i imgtype
58              Identify the type of image file, such as raw.  Use '-i list'  to
59              list  the  supported types.  If not given, autodetection methods
60              are used.
61
62       -o imgoffset
63              The sector offset where the file system starts in the image.
64
65       -b dev_sector_size
66              The size, in bytes, of the underlying device  sectors.   If  not
67              given,  the  value in the image format is used (if it exists) or
68              512-bytes is assumed.
69
70       -u     Display undeleted entries only
71
72       -v     Verbose output to stderr.
73
74       -V     Display version.
75
76       -z zone
77              The ASCII string of the time zone of the original  system.   For
78              example,  EST  or  GMT.   These  strings must be defined by your
79              operating system and may vary.
80
81       image [images]
82              The disk or partition image to read, whose format is given  with
83              '-i'.   Multiple  image  file names can be given if the image is
84              split into multiple segments.  If only one image file is  given,
85              and  its  name is the first in a sequence (e.g., as indicated by
86              ending in '.001'), subsequent image segments  will  be  included
87              automatically.
88
89
90       Once  the  inode  has  been determined, the file can be recovered using
91       icat(1) from The Coroners Toolkit.  The amount of information recovered
92       from deleted file entries varies depending on the system.  For example,
93       on Linux, a recently deleted file can be  easily  recovered,  while  in
94       Solaris not even the inode can be determined.  If you just want to find
95       what file name belongs to an inode, it is easier to use ffind(1).
96
97

EXAMPLES

99       To get a list of all files and directories in an image use:
100
101            # fls -r image 2
102
103            or just (if no inode is specified, the  root  directory  inode  is
104       used):
105
106            # fls -r image
107
108       To get the full path of deleted files in a given directory:
109
110            # fls -d -p image 29
111
112       To get the mactime output do:
113
114            # fls -m /usr/local image 2
115
116       If you have a disk image and the file system starts in sector 63, use:
117
118            # fls -o 63 disk-img.dd
119
120       If you have a disk image that is split use:
121
122            # fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd
123
124
125

SEE ALSO

127       ffind(1), icat(1)
128
129

AUTHOR

131       Brian Carrier <carrier at sleuthkit dot org>
132
133       Send documentation updates to <doc-updates at sleuthkit dot org>
134
135
136
137                                                                        FLS(1)
Impressum