FLS(1)							   FLS(1)


NAME
       fls - List file and directory names in a forensic image

SYNOPSIS
       fls [-adDflpru] [-m mnt ] [-z hours ] image [ inode ]

DESCRIPTION
       fls  lists  the files and directory names in the image and
       can display file names of recently deleted files	 for  the
       directory using the given inode.	 If the inode argument is
       not given, 2 is used.  The image should be  created  using
       the dd(1) command.

       The arguments are as follows:

       -a     Display  the  "."	 and  ".."  directory entries (by
	      default it does not)

       -d     Display deleted entries only

       -D     Display directory entries only

       -f     Display file (all non-directory) entries only

       -l     Display file details in long format.  The following
	      contents are displayed:

	      file_type	  inode	  file_name   mod_time	 acc_time
	      cre_time size uid gid

       -m     Display deleted files in time machine format.   The
	      output can be merged with the body file from grave-
	      robber(1) before mactimes(1)  is	run.   The  files
	      will  be printed as though the image was mounted at
	      mnt (for example /usr).

       -p     Display the full path for each entry.   By  default
	      it  denotes  the	directory depth on recursive runs
	      with a '+' sign.

       -r     Recursively display  directories.	  This	will  not
	      follow deleted directories, because it can't.

       -u     Display undeleted entries only

       -z     Time zone difference in hours.  This is only useful
	      when the -l option is used.  For example, if we are
	      analyzing an image in EST from CST, the value would
	      be -1.

       image  The forensic image created by dd(1).


       Once the inode  has  been  determined,  the  file  can  be
       recovered  using	 icat(1)  from The Coroners Toolkit.  The
       amount of information recovered from deleted file  entries
       varies  depending on the system.	 For example, on Linux, a
       recently deleted file can be easily  recovered,	while  in
       Solaris not even the inode can be determined.  If you just
       want to find what file name belongs to  an  inode,  it  is
       easier to use find_name(1).


EXAMPLES
       To  get	a  list	 of all files and directories in an image
       use:

	    # fls -r image 2

	    or just:

	    # fls -r image

       To get the full path of deleted files in	 a  given  direc-
       tory:

	    # fls -d -p image 29

       To get the mactimes output do:

	    # fls -m /usr/local image 2



SEE ALSO
       dd(1), find_name(1), icat(1)


BUGS
       Currently only reads FFS on OpenBSD and Solaris and EXT2FS
       on Linux.


HISTORY
       fls first appeared in TCTUTILs v1.0.

AUTHOR
       Brian Carrier <carrier@cerias.purdue.edu>











User Manuals		    MARCH 2001				2


