Table of Contents
ils - List inode information
ils [-emOpvV] [-f fstype ] [-s seconds
] [-i imgtype ] [-o imgoffset ] [-b dev_sector_size] image [images] [start-stop]
ils [-aAlLvVzZ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] image
ils opens the named image(s) and lists
inode information. By default, ils lists only the inodes of removed files.
- List every inode in the file system.
- -f fstype
- Specifies the
file system type. Use ’-f list’ to list the supported file system types. If
not given, autodetection methods are used.
- -s seconds
- The time skew of the
original system in seconds. For example, if the original system was 100
seconds slow, this value would be -100.
- Display the inode details in the
format that the mactime program reads (replaces the ils2mac script from
- List only inodes of removed files that are still open or executing.
This option is short-hand notation for -aL "(see the fine controls section
below). (this used to be -o).
- Display orphan inodes (unallocated with no
- (default) List only inodes of removed files. This option is
short-hand notation for -LZ (see the fine controls section below).
- -i imgtype
the type of image file, such as raw. Use ’-i list’ to list the supported types.
If not given, autodetection methods are used.
- -o imgoffset
- The sector offset
where the file system starts in the image.
- -b dev_sector_size
- The size,
in bytes, of the underlying device sectors. If not given, the value in
the image format is used (if it exists) or 512-bytes is assumed.
- Turn on
verbose mode, output to stderr.
- Display Version.
- image [images]
- The disk
or partition image to read, whose format is given with ’-i’. Multiple image
file names can be given if the image is split into multiple segments. If
only one image file is given, and its name is the first in a sequence (e.g.,
as indicated by ending in ’.001’), subsequent image segments will be included
- Examine the specified inode number or number range.
- List only allocated inodes: these belong to files with
at least one directory entry in the file system, and to removed files that
are still open or executing.
- List only unallocated inodes: these belong
to files that no longer exist.
- List only inodes with at least one hard
link. These belong to files with at least one directory entry in the file
- List only inodes without any hard links. These belong to files that
no longer exist, and to removed files that are still open or executing.
- List only inodes that were likely to have not been used.
- List only inodes
that were likely to be used.
The output format is in time machine format.
The output begins with a two-line header that describes the data origin,
and is followed by a one-line header that lists the names of the data attributes
that make up the remainder of the output:
This software is distributed
under the IBM Public License.
First appeared in The Coroners Toolkit
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
Heights, NY 10598, USA
- The inode number.
status: ‘a’ for allocated inode, ‘f’ for free inode.
- Owner user ID.
- UNIX time (seconds) of last file modification.
time (seconds) of last file access.
- UNIX time (seconds) of last
inode status change.
- UNIX time (seconds) of file deletion (LINUX
- File type and permissions (octal).
- Number of hard links.
- File size in bytes.
- The first two entries in the
direct block address list.
This version is maintained by Brian Carrier (carrier
at sleuthkit dot org)
Send documentation updates to <doc-updates at sleuthkit
Table of Contents