LinuxCommandLibrary

fls

TLDR

List files in image

$ fls [disk.img]
copy
List deleted files
$ fls -d [disk.img]
copy
Recursive listing
$ fls -r [disk.img]
copy
List specific directory
$ fls [disk.img] [inode]
copy
List with file types
$ fls -p [disk.img]
copy

SYNOPSIS

fls [options] image [inode]

DESCRIPTION

fls lists file and directory names from disk images. It's part of The Sleuth Kit forensics toolkit and examines filesystem structures directly without mounting.
The tool shows regular and deleted file entries, useful for data recovery and forensic analysis. It works with various filesystems including NTFS, FAT, ext, and HFS+.
fls enables examining disk images without modifying their contents, preserving forensic integrity.

PARAMETERS

IMAGE

Disk image file.
INODE
Starting inode (default: root).
-r
Recursive listing.
-d
Show deleted entries.
-l
Long format output.
-p
Show full paths.
-m PREFIX
Output in mactime format.
-o OFFSET
Partition offset.
--help
Display help information.

CAVEATS

Requires raw or forensic disk images. Deleted file recovery depends on filesystem state. Large images may be slow.

HISTORY

fls is part of The Sleuth Kit created by Brian Carrier. It evolved from earlier forensic tools and provides cross-platform filesystem analysis for digital investigations.

SEE ALSO

ils(1), icat(1), mmls(1)

Copied to clipboard