IFIND

Section: User Commands (1)
Updated: JAN 2005
Index Return to Main Contents
 

NAME

ifind - Find the meta-data structure that has allocated a given disk unit.  

SYNOPSIS

ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p par_inode] [-z ZONE] [-i imgtype] [-o imgoffset] image [images]  

DESCRIPTION

ifind finds the meta-data structure that has data_unit allocated a data unit or has a given file name. In some cases any of the structures can be unallocated and this will still find the results.

There are several required and optional arguments. The image file names must be specified each time:

image [images]
One (or more if split) disk or partition images whose format is given with '-i'..PP

You must also specify what you are looking for and include one of the following:

-d data_unit
Finds the meta data structure that has allocated a given data unit (block, cluster, etc.)

-n file
Finds the meta data structure that is pointed to by the given file name.

-p par_inode
Finds the unallocated MFT entries in an NTFS image that have the given inode as the parent. Can be used with '-l and -z'.

There are also several optional arguments:

-a
Find all meta-data structures (only works when looking with a data_unit).
-f fstype
Specify the file system type. Use the -? argument for list of supported types. If not given, the default type for the platform is used.
-l
List the details of each file found with '-p', like 'fls -l'.
-i imgtype
Identify the type of image file, such as raw or split. Raw is the default.
-o imgoffset
The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using '@' (32@2048).
-v
Verbose output to stderr.
-V
Display version.
-z
If '-p -l' were given, this will set the timezone for the correct times.

 

EXAMPLES

# ifind -f fat -d 456 fat-img.dd

# ifind -f linux-ext2 -n "/etc/" linux-img.dd

# ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd

 

SEE ALSO

dd(1),  

HISTORY

ifind first appeared in TCTUTILs v1.0 as find_inode.  

AUTHOR

Brian Carrier <carrier@sleuthkit.org>


 

Index

NAME
SYNOPSIS
DESCRIPTION
EXAMPLES
SEE ALSO
HISTORY
AUTHOR

linux.jgfs.net manual pages