Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to get the filename of which has been deleted if I know the inode number?
Operating Systems AIX How to get the filename of which has been deleted if I know the inode number? Post 302375333 by wfavorite on Friday 27th of November 2009 09:05:49 AM
Old 11-27-2009
Finding filename given inode in AIX
Use "ncheck" to find a filename given an inode.

You will need to supply the inode and the filesystem that it came from.

If the file has been deleted - meaning ALL instances of it - then this command will not work as it uses filesystem directory entires to make the connection between a filename and the inode.

When you rm a file, you are actually un-linking it. This means that you are removing the directory entry and releasing the inode. So if you still have the file open, and it has been deleted (rm'ed) then it does not have a name (anymore).

Of course it is possible to have multiple (hard) links to a file - and therefore it would be possible to find a filename although it would not be the same as the deleted name. (name = full path to file).

The ncheck command (as well as other AIX info) can be found here:

AIX QuickStart
 

10 More Discussions You Might Find Interesting

1. Solaris

How to map a disk block to filename/ Inode

Hi, I want to find out a particular disk block belong to which file. in solaris 2.8 Can anyone help. Thanks and Regards Bala (1 Reply)
Discussion started by: Balamurugan
1 Replies

2. UNIX for Dummies Questions & Answers

Directory Inode Number Not Unique

Hi, I know that inode for each file is unique, but is it the for the directory? So far I found different directories has the same inode nubmer when you do ls -i, could some one explain why? Thanks a lot. (9 Replies)
Discussion started by: nj302
9 Replies

3. Filesystems, Disks and Memory

Inode number

as kernel keeps track of user activities on a file by its INODE number and I node table . what is the structure of Inode table. and where does this Inode table mapped into?user space or kernel space? is the Inode Number is fixed for a file till its deletion? thanks (1 Reply)
Discussion started by: compbug
1 Replies

4. UNIX for Advanced & Expert Users

how to find out pathname from inode number

Hi all when I execute pmap command on one of my daemon process, I am able to see the following output. Address Kbytes RSS Anon Locked Mode Mapped File 00010000 40 40 - - r-x-- irs026bmd 00028000 56 56 16 - rwx-- irs026bmd 00036000... (3 Replies)
Discussion started by: axes
3 Replies

5. UNIX for Dummies Questions & Answers

Number of Inode on a disk

How we can know number of inode present in my Disk including free and occupied. Is there any tool or program to know how much free inode are there in inode free list . (2 Replies)
Discussion started by: mr_deb
2 Replies

6. Filesystems, Disks and Memory

Recreating a deleted hardlink to a file if I know the inode number

At risk of twisting the rules to nearly the point of breaking (if you think this goes too far mods, I apologise and accept that this should be deleted), I'm hoping someone might be able to cast a little light on the following problem regarding hard links to files. ... (6 Replies)
Discussion started by: Smiling Dragon
6 Replies

7. UNIX for Dummies Questions & Answers

inode filename

can someone please tell me why is the filename not inlcuded in the inode of the file? (2 Replies)
Discussion started by: wowman
2 Replies

8. Shell Programming and Scripting

How can I get only FileName associated with a INODE on Unix much faster?

How can I get only FileName associated with a INODE on Unix in seconds instead of minutes, as it is the case for me as shown below. # Say I have FileDescriptor: 43, INODE: 2590784, File: abc.rdb. I want to get only filename associated with inode:2590784 and FD:43. $> time find / -inum... (7 Replies)
Discussion started by: kchinnam
7 Replies

9. Red Hat

Inode number changes for a file in Redhat Linux

Hi, I have created a file abc.log in Redhat Linux. Inode number for a file get changes every time i update the file using vi editor. Is there any setting that can be made , such that inode number never gets changed? Or if we cannot restrict from inode number getting changed , is... (9 Replies)
Discussion started by: raghu.amilineni
9 Replies

10. Solaris

Retreive deleted file name if you having inode number

Some one please help me to find deleted file name, if I am having inode number in Solaris without using any 3rd party tool. Thanks :) (3 Replies)
Discussion started by: aksijain
3 Replies

LEARN ABOUT DEBIAN

fls

FLS(1)							      General Commands Manual							    FLS(1)

NAME

       fls - List file and directory names in a disk image.

SYNOPSIS

       fls [-adDFlpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] [-b dev_sector_size] image [images] [ inode
       ]

DESCRIPTION

       fls lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given
       inode.  If the inode argument is not given, the inode value for the root directory is used. For example, on an NTFS file system it would be
       5 and on a Ext3 file system it would be 2.

       The arguments are as follows:

       -a     Display the "." and ".." directory entries (by default it does not)

       -d     Display deleted entries only

       -D     Display directory entries only

       -f fstype
	      The type of file system.	Use '-f list' to list the supported file system types.	If not given, autodetection methods are used.

       -F     Display file (all non-directory) entries only.

       -l     Display file details in long format.  The following contents are displayed:

	      file_type inode file_name mod_time acc_time chg_time cre_time size uid gid

       -m mnt Display files in time machine format so that a timeline can be	 created with  mactime(1).   The  string  given  as  mnt  will	be
	      prepended to the file names as the mounting point (for example /usr).

       -p     Display the full path for each entry.  By default it denotes the directory depth on recursive runs with a '+' sign.

       -r     Recursively display directories.	This will not follow deleted directories, because it can't.

       -s seconds
	      The  time  skew  of  the	original system in seconds.  For example, if the original system was 100 seconds slow, this value would be
	      -100.  This is only used if -l or -m are given.

       -i imgtype
	      Identify the type of image file, such as raw or split.  Use '-i list' to list the supported  types.   If	not  given,  autodetection
	      methods are used.

       -o imgoffset
	      The sector offset where the file system starts in the image.

       -b dev_sector_size
	      The  size,  in  bytes,  of  the  underlying  device  sectors.  If not given, the value in the image format is used (if it exists) or
	      512-bytes is assumed.

       -u     Display undeleted entries only

       -v     Verbose output to stderr.

       -V     Display version.

       -z zone
	      The ASCII string of the time zone of the original system.  For example, EST or GMT.  These strings must be defined by your operating
	      system and may vary.

       image [images]
	      One (or more if split) disk or partition images whose format is given with '-i'.

       Once the inode has been determined, the file can be recovered using icat(1) from The Coroners Toolkit.  The amount of information recovered
       from deleted file entries varies depending on the system.  For example, on Linux, a recently deleted file can be easily recovered, while in
       Solaris not even the inode can be determined.  If you just want to find what file name belongs to an inode, it is easier to use ffind(1).

EXAMPLES

       To get a list of all files and directories in an image use:

	    # fls -r image 2

	    or just (if no inode is specified, the root directory inode is used):

	    # fls -r image

       To get the full path of deleted files in a given directory:

	    # fls -d -p image 29

       To get the mactime output do:

	    # fls -m /usr/local image 2

       If you have a disk image and the file system starts in sector 63, use:

	    # fls -o 63 disk-img.dd

       If you have a disk image that is split use:

	    # fls -i "split" -o 63 disk-1.dd disk-2.dd disk-3.dd

SEE ALSO

       ffind(1), icat(1)

AUTHOR

       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>

																	    FLS(1)
All times are GMT -4. The time now is 05:55 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy