fls

Build a recursive fls list over a device, output paths will start with C

$ fls -r -m [C:] [/dev/loop1p1]

$ fls -r -m [C:] -o [sector] [path/to/image_file]

$ fls -r -m [C:] -z [timezone] [/dev/loop1p1]

fls [options] image [image_offset]

image: Path to the disk image file.
image_offset: Optional byte offset from the start of the image to the beginning of the file system to analyze.

-a
    Display '.' and '..' directory entries.

-d
    Display directory entries for deleted files.

-D
    Display directory entries for only deleted files.

-f fstype
    Specify the file system type (e.g., ext3, ntfs, fat). Auto-detection is usually sufficient.

-F
    Display file entries for only directories.

-i imgtype
    Specify the disk image type (e.g., raw, ewf, aff). Auto-detection is usually sufficient.

-l
    Display the long version of the directory entries, including inode and size (similar to ls -l).

-m
    Display the contents of deleted directories (FAT and NTFS only).

-o offset
    Specify the sector offset from the start of the image to the beginning of the file system.

-p
    Display the full path for the directory entries.

-P pragma
    Specify a pragma for printing deleted entries (e.g., 'all', 'alloc', 'unalloc').

-r
    Recursively list all directory entries.

-R
    Recursively list all directory entries, including unallocated ones, showing full paths.

-s
    Display directory entries for only special files (e.g., '.' and '..').

-u
    Display only unallocated (orphaned) files and directories.

-v
    Enable verbose output to stderr.

-V
    Display tool version information.

-z
    Display time in the local timezone.

fls is a command-line utility from The Sleuth Kit (TSK), a comprehensive collection of open-source digital forensics tools. Its primary function is to list directory entries from a given disk image or a specific file system within that image. Unlike standard ls, fls operates directly on forensic images and can recover information about deleted files and directories if their metadata (directory entries) still exists on the file system.

It supports various file systems including FAT, NTFS, HFS+, Ext2/3/4, and UFS. Forensic analysts use fls to gain insight into the file system structure, identify active and deleted files, and investigate file activity without mounting the image, thereby preserving its integrity. It's a crucial step in understanding the layout of a compromised or evidence disk before deeper analysis.

fls operates on disk images, not live file systems. It requires the installation of The Sleuth Kit. While it can list deleted entries, the actual content of deleted files may not be recoverable if overwritten. Understanding its output often requires knowledge of file system structures and forensic analysis principles. Performance can vary significantly with image size and file system complexity.

The default output of fls provides inode numbers, allocation status (allocated/deleted), and file names. The -l option provides a more detailed ls -l-like output including permissions, owner/group, size, and modification times. The -d and -D options are crucial for identifying deleted files and their associated directory entries.

fls is commonly used early in a forensic investigation to survey the contents of a disk image. It helps identify files of interest, reconstruct directory structures, and locate evidence of data deletion or tampering, often preceding deeper analysis with tools like icat (to recover file content) or blkls (to list blocks).

fls is an integral part of The Sleuth Kit (TSK), an open-source collection of command-line tools for digital forensics. TSK was originally developed by Brian Carrier as an enhancement to The Coroner's Toolkit (TCT) in the early 2000s. fls specifically provides a non-invasive way to examine file system contents, including deleted data, which is fundamental for forensic investigations. Its continuous development reflects the evolving needs of digital evidence analysis, maintaining compatibility with new file system types and improving performance and feature sets.

mmls(1), fsstat(1), icat(1), tsk_loaddb(1), blkls(1)