Table of Contents
fls - List file and directory names in a disk image.
[-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset
] [-b dev_sector_size] image [images] [ inode ]
the files and directory names in the image and can display file names of
recently deleted files for the directory using the given inode. If the inode
argument is not given, the inode value for the root directory is used. For
example, on an NTFS file system it would be 5 and on a Ext3 file system
it would be 2.
The arguments are as follows:
- Display the "." and ".." directory
entries (by default it does not)
- Display deleted entries only
directory entries only
- -f fstype
- The type of file system. Use ’-f list’ to
list the supported file system types. If not given, autodetection methods
- Display file (all non-directory) entries only.
- Display file
details in long format. The following contents are displayed:
inode file_name mod_time acc_time chg_time cre_time size uid gid
- -m mnt
files in time machine format so that a timeline can be gid created
The string given as mnt will be prepended to the file names as the mounting
point (for example /usr).
- Display the full path for each entry. By default
it denotes the directory depth on recursive runs with a ’+’ sign.
display directories. This will not follow deleted directories, because
- -s seconds
- The time skew of the original system in seconds. For
example, if the original system was 100 seconds slow, this value would
be -100. This is only used if -l or -m are given.
- -i imgtype
- Identify the type
of image file, such as raw. Use ’-i list’ to list the supported types. If not
given, autodetection methods are used.
- -o imgoffset
- The sector offset where
the file system starts in the image.
- -b dev_sector_size
- The size, in bytes,
of the underlying device sectors. If not given, the value in the image
format is used (if it exists) or 512-bytes is assumed.
- Display undeleted
- Verbose output to stderr.
- Display version.
- -z zone
- The ASCII
string of the time zone of the original system. For example, EST or GMT.
These strings must be defined by your operating system and may vary.
- The disk or partition image to read, whose format is given with
’-i’. Multiple image file names can be given if the image is split into multiple
segments. If only one image file is given, and its name is the first in
a sequence (e.g., as indicated by ending in ’.001’), subsequent image segments
will be included automatically.
Once the inode has been determined, the
file can be recovered using icat(1)
from The Coroners Toolkit. The amount
of information recovered from deleted file entries varies depending on
the system. For example, on Linux, a recently deleted file can be easily
recovered, while in Solaris not even the inode can be determined. If you
just want to find what file name belongs to an inode, it is easier to use
To get a list of all files and directories in an image
# fls -r image 2
or just (if no inode is specified, the root directory inode is used):
# fls -r image
To get the full path of deleted files in a given directory:
# fls -d
-p image 29
To get the mactime output do:
# fls -m /usr/local image 2
If you have a disk image and the file system starts in sector 63, use:
# fls -o 63 disk-img.dd
If you have a disk image that is split use:
# fls -i "split" -o 63 disk-1.dd
Brian Carrier <carrier at sleuthkit
Send documentation updates to <doc-updates at sleuthkit dot org>
Table of Contents