Using the fls command to list files and directories on an image file or device (with examples)
The fls command is a powerful tool that allows you to list files and directories within an image file or device. It can be used for digital forensics analysis or general file system examination. In this article, we will explore three different use cases of the fls command, each with its own code example, motivation, explanation, and example output.
Use case 1: Building a recursive fls list over a device
fls -r -m C: /dev/loop1p1
Motivation:
When analyzing a device, it is often necessary to list all files and directories recursively. This allows you to get a comprehensive view of the file system structure and identify potential evidence or important system files. By specifying the device with -m C: and the recursive option -r, the fls command will traverse through all the directories within the device and display the file and directory paths starting with C:.
Explanation:
-r: Enables recursive listing, meaning all files and directories within the specified device will be included in the output.-m C:: Specifies the device or image file to analyze. In this example, the device is/dev/loop1p1and the output paths will start withC:.
Example output:
C:\Windows\system32\config\SYSTEM
C:\Windows\system32\config\SOFTWARE
C:\Windows\system32\config
C:\Windows\system32\drivers\etc\hosts
C:\Users\John\Documents\Report.docx
...
Use case 2: Analyzing a single partition with sector offset
fls -r -m C: -o sector path/to/image_file
Motivation:
In some cases, you may need to analyze a specific partition within an image file. By providing the sector offset at which the file system starts in the image, you can isolate and examine a particular partition. This can be useful when investigating a specific file system or when dealing with multi-partition images.
Explanation:
-o sector: Indicates that the following argument is the sector offset at which the file system starts in the image.path/to/image_file: Specifies the path to the image file that contains the partition to be analyzed.
Example output:
C:\Windows\system32\config\SYSTEM
C:\Windows\system32\config\SOFTWARE
C:\Windows\system32\config
C:\Windows\system32\drivers\etc\hosts
C:\Users\John\Documents\Report.docx
...
Use case 3: Analyzing a single partition with timezone information
fls -r -m C: -z timezone /dev/loop1p1
Motivation:
When analyzing a file system, it can be helpful to know the original timezone of the system. This information can aid in correlating file timestamps with specific events or activities. By providing the timezone with the -z option, the fls command will adjust the timestamps according to the specified timezone.
Explanation:
-z timezone: Specifies the timezone of the original system. Replacetimezonewith the appropriate timezone value (e.g.,PST,EST,GMT)./dev/loop1p1: Specifies the device or image file to analyze. In this example, the device is/dev/loop1p1.
Example output:
C:\Windows\system32\config\SYSTEM,Thu Feb 24 10:31:14 2022,"Windows Registry file"
C:\Windows\system32\config\SOFTWARE,Thu Feb 24 10:31:14 2022,"Windows Registry file"
C:\Windows\system32\config,Thu Feb 24 10:31:14 2022,"Directory"
C:\Windows\system32\drivers\etc\hosts,Wed Jul 14 02:32:56 2021,"ASCII text"
C:\Users\John\Documents\Report.docx,Mon Jan 10 18:45:22 2022,"Microsoft Word document"
...
In this article, we have explored three different use cases of the fls command. We learned how to build a recursive fls list over a device, analyze a single partition with a sector offset, and analyze a single partition providing the timezone of the original system. These examples demonstrate the flexibility and usefulness of the fls command in digital forensics and file system analysis.
