man ifind (Commandes) - Find the meta-data structure that has allocated a given disk unit.
NAME
ifind - Find the meta-data structure that has allocated a given disk unit.
SYNOPSIS
ifind [-avVl] [-f fstype] [-d data_unit] [-n file] [-p par_inode] [-z ZONE] [-i imgtype] [-o imgoffset] image [images]
DESCRIPTION
ifind finds the meta-data structure that has data_unit allocated a data unit or has a given file name. In some cases any of the structures can be unallocated and this will still find the results.
The arguments are as follows:
- image [images]
- One (or more if split) disk or partition images whose format is given with '-i'..PP
One of the following must be given:
- -d data_unit
- Finds the meta data structure that has allocated a given data unit (block, cluster, etc.)
- -n file
- Finds the meta data structure that is pointed to by the given file name.
- -p par_inode
- Finds the unallocated MFT entries in an NTFS image that have the given inode as the parent. Can be used with '-l and -z'.
The optional arguments are:
- -a
- Find all meta-data structures (only works when looking with a data_unit).
- -f fstype
- Specify the file system type. Use the -? argument for list of supported types. If not given, the default type for the platform is used.
- -l
- List the details of each file found with '-p', like 'fls -l'.
- -i imgtype
- Identify the type of image file, such as raw or split. Raw is the default.
- -o imgoffset
- The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using '@' (32@2048).
- -v
- Verbose output to stderr.
- -V
- Display version.
- -z
- If '-p -l' were given, this will set the timezone for the correct times.
EXAMPLES
# ifind -f fat -d 456 fat-img.dd
# ifind -f linux-ext2 -n "/etc/" linux-img.dd
# ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
SEE ALSO
HISTORY
ifind first appeared in TCTUTILs v1.0 as find_inode.
AUTHOR
Brian Carrier <carrier@sleuthkit.org>