Table of Contents
ffind - Finds the name of the file or directory using a given inode
ffind [-aduvV] [-f fstype] [-i imgtype] [-o imgoffset] [-b dev_sector_size]
image inode
ffind finds the names of files or directories that
are allocated to inode on disk image image. By default it only will only
return the first name it finds. With some file systems, this will find
deleted file names.
- image [images]
- One (or more if split) disk
or partition images whose format is given with ’-i’.
- inode
- Integer of inode
to find.
The optional arguments are:
- -a
- Find all occurrences of inode.
- -d
- Find
deleted entries only.
- -f fstype
- Identify the file system type of the image.
Use ’-f list’ to list the supported file system types. If not given, autodetection
methods are used.
- -u
- Find undeleted entries only.
- -i imgtype
- Identify the type
of image file, such as raw or split. Use ’-i list’ to list the supported types.
If not given, autodetection methods are used.
- -o imgoffset
- The sector offset
where the file system starts in the image.
- -b dev_sector_size
- The size,
in bytes, of the underlying device sectors. If not given, the value in
the image format is used (if it exists) or 512-bytes is assumed.
- -v
- Verbose
output to stderr.
- -V
- Display version.
This program searches all directory
entries looking for the given inode. This is useful when an inode has been
identified from a disk unit address using ifind(1)
.
# ffind -a image
212
ifind(1)
Brian Carrier <carrier at sleuthkit dot org>
Send documentation updates to <doc-updates at sleuthkit dot org>
Table of Contents