Table of Contents
ffind - Find the name of the file or directory using a given inode
ffind
[-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] image inode
ffind
finds the names of files or directories that are allocated to inode on
disk image image. By default it only will only return the first name it
finds. With some file systems, this will find deleted file names.
- image
[images]
- One (or more if split) disk or partition images whose format is
given with ’-i’.
- inode
- Integer of inode to find.
The optional arguments are:
- -a
- Find all occurrences of inode.
- -d
- Find deleted entries only.
- -f fstype
- Identify
the file system type of the image. Use ’-f list’ to list the supported file
system types. If not given, autodetection methods are used.
- -u
- Find undeleted
entries only.
- -i imgtype
- Identify the type of image file, such as raw or split.
Use ’-i list’ to list the supported types. If not given, autodetection methods
are used.
- -o imgoffset
- The sector offset where the file system starts in the
image. Non-512 byte sectors can be specified using ’@’ (32@2048).
- -v
- Verbose
output to stderr.
- -V
- Display version.
This program searches all directory
entries looking for the given inode. This is useful when an inode has been
identified from a disk unit address using ifind(1)
.
# ffind -a image
212
ifind(1)
Brian Carrier <carrier at sleuthkit dot org>
Table of Contents