ils-sleuthkit
SYNOPSIS
ils [-emOpvV] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ]
image [images] [start-stop]
ils [-aAlLvVzZ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset
] image [images] [start-stop]
DESCRIPTION
ils opens the named image(s) and lists inode information. By default,
ils lists only the inodes of removed files.
Arguments:
-e List every inode in the file system.
-f fstype
Specifies the file system type. Use '-f list' to list the sup-
ported file system types. If not given, autodetection methods
are used.
-s seconds
The time skew of the original system in seconds. For example,
if the original system was 100 seconds slow, this value would be
-100.
-m Display the inode details in the format that the mactime program
reads (replaces the ils2mac script from TCT)
-O List only inodes of removed files that are still open or execut-
ing. This option is short-hand notation for -aL "(see the fine
controls section below). (this used to be -o).
-p Display orphan inodes (unallocated with no file name)
-r (default) List only inodes of removed files. This option is
short-hand notation for -LZ (see the fine controls section
below).
-i imgtype
Identify the type of image file, such as raw or split. Use '-i
list' to list the supported types. If not given, autodetection
methods are used.
-o imgoffset
The sector offset where the file system starts in the image.
Non-512 byte sectors can be specified using '@' (32@2048).
-v Turn on verbose mode, output to stderr.
-V Display Version.
image [images]
One (or more if split) disk or partition images whose format is
longer exist.
-l List only inodes with at least one hard link. These belong to
files with at least one directory entry in the file system.
-L List only inodes without any hard links. These belong to files
that no longer exist, and to removed files that are still open
or executing.
-z List only inodes with zero status change time. Presumably, these
inodes were never used.
-Z List only inodes with non-zero status change time. Presumably,
these belong to files that still exist, or that existed in the
past.
The output format is in time machine format. The output begins with a
two-line header that describes the data origin, and is followed by a
one-line header that lists the names of the data attributes that make
up the remainder of the output:
st_ino The inode number.
st_alloc
Allocation status: `a' for allocated inode, `f' for free inode.
st_uid Owner user ID.
st_gid Owner group ID.
st_mtime
UNIX time (seconds) of last file modification.
st_atime
UNIX time (seconds) of last file access.
st_ctime
UNIX time (seconds) of last inode status change.
st_dtime
UNIX time (seconds) of file deletion (LINUX only).
st_mode
File type and permissions (octal).
st_nlink
Number of hard links.
st_size
File size in bytes.
st_block0,st_block1
The first two entries in the direct block address list.
This version is maintained by Brian Carrier (carrier at sleuthkit dot
org)
Send documentation updates to <doc-updates at sleuthkit dot org>
ILS(1)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2012
Hurricane Electric.
All Rights Reserved.