Re: [sleuthkit-users] Fls vs Ils

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Apr 26, 2005, at 10:50 AM, Jaime Chang wrote:

> Hello everybody,
>
> If I was looking for all files using the commands below.  Is it 
> possible that one command could return more files than the other one?

Yes.

> ils -eZ -f fat test.img
> fls  -r -f fat test.img
>
> Basically, I'd like to know if there is any difference on how files 
> are searched between fls and ils commands.

They are entirely different (which is why the speeds are different and 
they have different names :) ). 'fls' traverses the directory and file 
name hierarchy (like users normally do) and 'ils' traverses the 
metadata tables (like inode tables or MFT).  'ils' ignores names 
entirely and knows nothing about parent directories and the like.  It 
is possible to have metadata entries that do not have a name associated 
with them and similarly there could be multiple names for a single 
metadata entry.  Therefore the numbers could be different.

> I noticed that in one of my test scenarios, I was actually getting 
> less files using the ils command

This is not surprising.  There are many reasons why this can happen, 
but since you are asking about FAT specifically, I'll give you one.   
The '-Z' check in ils verifies that the c-time is non-zero.  This is 
legacy from TCT and was used to organize the unallocated inodes that 
had been used and those that had not.  I have found many files in a FAT 
file system where Windows system files had a c-time of 0.  So, when you 
add the '-Z', you are skipping those odd files in the 'ils' command, 
but 'fls' will print them.

brian 