Table of Contents
ils - List inode information
ils [-emOpvV] [-f fstype ] [-s seconds
] [-i imgtype ] [-o imgoffset ] image [images] [start-stop]
ils [-aAlLvVzZ]
[-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] image [images] [start-stop]
ils opens the named image(s) and lists inode information. By
default, ils lists only the inodes of removed files.
Arguments:
- -e
- List
every inode in the file system.
- -f fstype
- Specifies the file system type.
Use ’-f list’ to list the supported file system types. If not given, autodetection
methods are used.
- -s seconds
- The time skew of the original system in seconds.
For example, if the original system was 100 seconds slow, this value would
be -100.
- -m
- Display the inode details in the format that the mactime program
reads (replaces the ils2mac script from TCT)
- -O
- List only inodes of removed
files that are still open or executing. This option is short-hand notation
for -aL "(see the fine controls section below). (this used to be -o).
- -p
- Display
orphan inodes (unallocated with no file name)
- -r
- (default) List only inodes
of removed files. This option is short-hand notation for -LZ (see the fine
controls section below).
- -i imgtype
- Identify the type of image file, such
as raw or split. Use ’-i list’ to list the supported types. If not given,
autodetection methods are used.
- -o imgoffset
- The sector offset where the file
system starts in the image. Non-512 byte sectors can be specified using
’@’ (32@2048).
- -v
- Turn on verbose mode, output to stderr.
- -V
- Display Version.
- image
[images]
- One (or more if split) disk or partition images whose format is
given with ’-i’.
- start-stop
- Examine the specified inode number or number range.
Fine controls:
- -a
- List only allocated inodes: these belong to files with
at least one directory entry in the file system, and to removed files that
are still open or executing.
- -A
- List only unallocated inodes: these belong
to files that no longer exist.
- -l
- List only inodes with at least one hard
link. These belong to files with at least one directory entry in the file
system.
- -L
- List only inodes without any hard links. These belong to files that
no longer exist, and to removed files that are still open or executing.
- -z
- List only inodes with zero status change time. Presumably, these inodes
were never used.
- -Z
- List only inodes with non-zero status change time. Presumably,
these belong to files that still exist, or that existed in the past.
The
output format is in time machine format. The output begins with a two-line
header that describes the data origin, and is followed by a one-line header
that lists the names of the data attributes that make up the remainder
of the output:
- st_ino
- The inode number.
- st_alloc
- Allocation status: ‘a’ for
allocated inode, ‘f’ for free inode.
- st_uid
- Owner user ID.
- st_gid
- Owner group
ID.
- st_mtime
- UNIX time (seconds) of last file modification.
- st_atime
- UNIX time
(seconds) of last file access.
- st_ctime
- UNIX time (seconds) of last inode
status change.
- st_dtime
- UNIX time (seconds) of file deletion (LINUX only).
- st_mode
- File type and permissions (octal).
- st_nlink
- Number of hard links.
- st_size
- File
size in bytes.
- st_block0,st_block1
- The first two entries in the direct block
address list.
mactime(1)
This software is distributed under
the IBM Public License.
First appeared in The Coroners Toolkit (TCT)
1.0.
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights,
NY 10598, USA
This version is maintained by Brian Carrier (carrier at
sleuthkit dot org)
Table of Contents