mmls(1) [debian man page]
MMLS(1) General Commands Manual MMLS(1) NAME
mmls - Display the partition layout of a volume system (partition tables) SYNOPSIS
mmls [-t mmtype ] [-o offset ] [ -i imgtype ] [-b dev_sector_size] [-BrvV] [-aAmM] image [images] DESCRIPTION
mmls displays the layout of the partitions in a volume system, which include partition tables and disk labels. ARGUMENTS
-t mmtype Specify the media management type. Use '-t list' to list the supported types. If not given, autodetection methods are used. -o offset Specify the offset into the image where the volume containing the partition system starts. The relative offset of the partition system will be added to this value. -b dev_sector_size The size, in bytes, of the underlying device sectors. If not given, the value in the image format is used (if it exists) or 512-bytes is assumed. -i imgtype Identify the type of image file, such as raw or split. If not given, autodetection methods are used. -B Include a column with the partition sizes in bytes -r Recurse into DOS partitions and look for other partition tables. This setup frequently occurs when Unix is installed on x86 sys- tems. -v Verbose output of debugging statements to stderr -V Display version -a Show allocated volumes -A Show unallocated volumes -m Show metadata volumes -M Hide metadata volumes image [images] One (or more if split) disk images whose format is given with '-i'. 'mmls' is similar to 'fdisk -lu' in Linux with a few differences. Namely, it will show which sectors are not being used so that those can be searched for hidden data. It also gives the length value so that it can be plugged into 'dd' more easily for extracting the partitions. It also will show BSD disk labels for Free, Open, and NetBSD and will display the output in sectors and not cylinders. Lastly, it works on non-Linux systems. If none of -a, -A, -m, or -M are given then all volume types will be listed. If any of them are given, then only the types specified on the command line will be listed. Allocated volumes are those that are listed in a partition table in the volume system AND can store data. Unallocated volumes are virtu- ally created by mmls to show you which sectors have not been allocated to a volume. The metadata volumes overlap the allocated and unallo- cated volumes and describe where the partition tables and other metadata structures are located. In some volume systems, these structures are in allocated space and in others they are in unallocated space. In some volume systems, their location is explicitly given in the par- tition tables and in others they are not. EXAMPLES
To list the partition table of a Windows system using autodetect: # mmls disk_image.dd To list the contents of a BSD system that starts in sector 12345 of a split image: # mmls -t bsd -o 12345 -i split disk-1.dd disk-2.dd AUTHOR
Brian Carrier <carrier at sleuthkit dot org> MMLS(1)
Check Out this Related Man Page
FLS(1) General Commands Manual FLS(1) NAME
fls - List file and directory names in a disk image. SYNOPSIS
fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] [-b dev_sector_size] image [images] [ inode ] DESCRIPTION
fls lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. If the inode argument is not given, the inode value for the root directory is used. For example, on an NTFS file system it would be 5 and on a Ext3 file system it would be 2. The arguments are as follows: -a Display the "." and ".." directory entries (by default it does not) -d Display deleted entries only -D Display directory entries only -f fstype The type of file system. Use '-f list' to list the supported file system types. If not given, autodetection methods are used. -F Display file (all non-directory) entries only. -l Display file details in long format. The following contents are displayed: file_type inode file_name mod_time acc_time chg_time cre_time size uid gid -m mnt Display files in time machine format so that a timeline can be created with mactime(1). The string given as mnt will be prepended to the file names as the mounting point (for example /usr). -p Display the full path for each entry. By default it denotes the directory depth on recursive runs with a '+' sign. -r Recursively display directories. This will not follow deleted directories, because it can't. -s seconds The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100. This is only used if -l or -m are given. -i imgtype Identify the type of image file, such as raw or split. Use '-i list' to list the supported types. If not given, autodetection methods are used. -o imgoffset The sector offset where the file system starts in the image. -b dev_sector_size The size, in bytes, of the underlying device sectors. If not given, the value in the image format is used (if it exists) or 512-bytes is assumed. -u Display undeleted entries only -v Verbose output to stderr. -V Display version. -z zone The ASCII string of the time zone of the original system. For example, EST or GMT. These strings must be defined by your operating system and may vary. image [images] One (or more if split) disk or partition images whose format is given with '-i'. Once the inode has been determined, the file can be recovered using icat(1) from The Coroners Toolkit. The amount of information recovered from deleted file entries varies depending on the system. For example, on Linux, a recently deleted file can be easily recovered, while in Solaris not even the inode can be determined. If you just want to find what file name belongs to an inode, it is easier to use ffind(1). EXAMPLES
To get a list of all files and directories in an image use: # fls -r image 2 or just (if no inode is specified, the root directory inode is used): # fls -r image To get the full path of deleted files in a given directory: # fls -d -p image 29 To get the mactime output do: # fls -m /usr/local image 2 If you have a disk image and the file system starts in sector 63, use: # fls -o 63 disk-img.dd If you have a disk image that is split use: # fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd SEE ALSO
ffind(1), icat(1) AUTHOR
Brian Carrier <carrier at sleuthkit dot org> Send documentation updates to <doc-updates at sleuthkit dot org> FLS(1)