LinuxCommandLibrary

ils

List filesystem inodes

SYNOPSIS

ils [options] <image> [inodes]

PARAMETERS

-A
    Skip checking alternate data streams

-a
    Show all files, including . and ..

-d
    Show deleted entries only

-D
    Show deleted entries with full details

-e
    Display extended attributes

-E
    Display extended information

-f <fstype>
    Filesystem type (e.g., ext2, ntfs)

-i <imgtype>
    Image format (e.g., raw, ewf)

-m <name>
    Set device name for hashing

-o <offset>
    Sector offset to image

-R
    Recursive listing

-r
    Recover deleted file names

-s
    Show sparse files

-v
    Verbose output

DESCRIPTION

The ils command is a forensic analysis tool from The Sleuth Kit (TSK), designed to extract and display detailed inode (metadata) information from disk images or filesystems. Unlike ls, which lists directory contents, ils focuses on low-level inode data, including file attributes such as type, size, timestamps (MAC times: modified, accessed, changed), ownership, links, and allocation status.

It supports various image formats (raw, EWF, AFF) and filesystems (NTFS, FAT, ext, UFS, HFS+), making it essential for digital investigations. Users specify a disk image and optional inode numbers or ranges to view specifics like whether files are allocated, deleted, or orphaned. Deleted entries can be shown with -d, aiding recovery analysis. Output mimics ls format but adds forensic details like inode numbers and deletion status.

Ideal for examiners reconstructing file timelines or identifying hidden data, ils helps without altering evidence, preserving chain of custody.

CAVEATS

Requires root or read access to images; may produce large output on big filesystems. Not for live systems—use on copies. Handles only supported FS/image types; check fsstat first.

EXAMPLE USAGE

ils disk.img — lists all inodes.
ils -d -r disk.img 123-150 — recovers deleted names in inode range.

OUTPUT FORMAT

Columns: inode | name | MAC times | size | type (fc: file carved, etc.). Deleted marked with 'd'.

HISTORY

Developed by Brian Carrier in the early 2000s as part of The Sleuth Kit (formerly TCT tools), evolving from Unix 'ils' utilities. First released ~2003, integrated into Autopsy GUI. Actively maintained for modern forensics.

SEE ALSO

fls(1), icat(1), fsstat(1), istat(1), mactime(1)

Copied to clipboard