Digital forensic examiners extract useful information from files. The Sleuth
Kit provides powerful tool to list files contained in a partition. This tool
is fls.
The basic format of fls is: fls [partition_image] [[inode]].
The inode value is optional.
As a simple example, suppose we want to list files in the root folder of partition image “logicalUSBraw.001”. Simply use:
$ fls logicalUSBraw.001
What if what we have is a whole disk image? Of course we can use mmcat to
extract the target partition to a new image file and proceed with fls. But an
easier method will be using the offset value of the target partition given by
the mmls tool and combining it with -o argument.
For instance, suppose the mmls provides the following result:
$ mmls physicalUSBraw.001
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000511 0000000512 Unallocated
02: 00:00 0000000512 0001957887 0001957376 DOS FAT16 (0x06)
From the list, we can tell that partition 02 starts at offset 512. Thus, to list files in root folder of this partition, use command:
$ fls physicalUSBraw.001 -o 512
Either way, the content of the root folder will be listed like:
r/r 3: USB DISK (Volume Label Entry)
r/r 5: ._.Trashes
d/d 5: folderA
d/d 11: Recycled
r/r 18: Paper.docx
r/r 36: DB 02.png
r/r * 38: research.docx
d/d * 46: Print
d/d 66: $RECYCLE.BIN
r/r 112: helloworld.py
v/v 31310339: $MBR
v/v 31310340: $FAT1
v/v 31310341: $FAT2
d/d 31310342: $OrphanFiles
By default, there are three columns in the result. This first column “r/r’ or ‘d/d’ indicates the entry type(“r” refers to regular file and “d” refers to directory). The second column is metadata(inode) address of the entry. The third column is the file name.
If an entry is a deleted one, an asterisk(*) will be shown after the entry type. Thus, the file “research.docx” and folder “Print” in the list above are deleted entries.
To list entries in subfolders, find the inode address of the folder, then use it as a parameter of fls. For example, according to the result, the inode address of folder “folderA” is 5. So, to list entries in folderA, use the following command:
$ fls logicalUSBraw.001 5
Above are the basic uses of fls. But fls has some more advanced options to help
users complete their tasks. The detailed manual of fls can be found by using
command man fls. It has a long list of arguments. Some importance ones are
listed below:
By combining these arguments and some other commands, users can easily locate files they are interested in. Some useful examples are given here:
List all folders and subfolders of the partition (Show folder structure):
$ fls image_name -rD
List all files in the whole partition:
$ fls image_name -rF
List all deleted entries in the whole partition:
$ fls image_name -rd
List all .docx files in the whole partition(Linux):
$ fls image_name -rF | grep .docx
List all deleted .jpg files in the whole partition(Linux):
$ fls image_name -rdF | grep .jpg
In addition, we can use the -l argument to print a detailed entry list, which contains many useful proprieties of the entry.
Just read the manual of fls and give it a try!