Table of Contents
ifind - Find the meta-data structure that has allocated a given disk
unit or file name.
ifind [-avVl] [-f fstype] [-d data_unit] [-n file]
[-p par_inode] [-z ZONE] [-i imgtype] [-o imgoffset] image [images]
ifind
finds the meta-data structure that has data_unit allocated a data unit
or has a given file name. In some cases any of the structures can be unallocated
and this will still find the results.
There are several required
and optional arguments. The image file names must be specified each time:
- image [images]
- One (or more if split) disk or partition images whose format
is given with ’-i’..PP
You must also specify what you are looking for and include
one of the following:
- -d data_unit
- Finds the meta data structure that has
allocated a given data unit (block, cluster, etc.)
- -n file
- Finds the meta
data structure that is pointed to by the given file name.
- -p par_inode
- Finds
the unallocated MFT entries in an NTFS image that have the given inode
as the parent. Can be used with ’-l and -z’.
There are also several optional
arguments:
- -a
- Find all meta-data structures (only works when looking with
a data_unit).
- -f fstype
- Specify the file system type. Use ’-f list’ to list
the supported file system types. If not given, autodetection methods are
used.
- -l
- List the details of each file found with ’-p’, like ’fls -l’.
- -i imgtype
- Identify
the type of image file, such as raw or split. Use ’-i list’ to list the supported
types. If not given, autodetection methods are used.
- -o imgoffset
- The sector
offset where the file system starts in the image. Non-512 byte sectors can
be specified using ’@’ (32@2048).
- -v
- Verbose output to stderr.
- -V
- Display version.
- -z
- If ’-p -l’ were given, this will set the timezone for the correct times.
# ifind -f fat -d 456 fat-img.dd
# ifind -f linux-ext2 -n "/etc/" linux-img.dd
# ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
Brian Carrier <carrier
at sleuthkit dot org>
Table of Contents