annotate ffstools/Usage @ 966:64cddafcd939

.hgignore: rvinterf clean-up
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Sat, 07 Nov 2015 00:18:03 +0000
parents 63cd64625597
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
250
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
1 The generic tiffs utility needs to be invoked as follows:
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
2
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
3 tiffs [global-options] <imgfile> <org> <cmd> [command-args]
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
4
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
5 The first 3 non-optional arguments are the filename of the TIFFS image under
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
6 examination, the FFS organization being examined, and the operation to be
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
7 performed. The present utility is designed in the classic Unix manner in that
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
8 each invokation performs a single operation and exits, such that invokations of
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
9 tiffs (or one of the wrappers described below) may be plumbed into pipes and
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
10 the like.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
11
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
12 The 2nd argument to tiffs after the FFS image filename describes how the TIFFS
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
13 instance under study is organized in terms of flash sectors. The syntax of
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
14 this argument is KxN, where K is the flash sector size in KiB and N is the
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
15 number of sectors occupied by the FFS. For MokoFFS images the correct
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
16 organization argument is 64x7 (7 sectors of 64 KiB each); for Pirelli's FFS
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
17 images it is 256x18 (18 sectors of 256 KiB each).
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
18
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
19 The following global options may be given before the image filename argument:
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
20
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
21 -a num
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
22
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
23 Use the specified flash block (sector) as the inode array block.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
24
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
25 -o offset
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
26
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
27 The FFS image begins at the specified offset within the file, rather
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
28 than at the beginning. This option is useful when working with complete
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
29 device flash dumps of which FFS is only a part, starting somewhere
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
30 other than at 0.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
31
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
32 -r ino
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
33
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
34 Use the specified inode as the root. Per Falcon's convention, TIFFS
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
35 inode numbers are always given in hex, hence this argument is
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
36 interpreted as hex without needing a 0x prefix.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
37
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
38 The invokation syntax for mokoffs and pirffs wrappers is the same as for tiffs,
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
39 except that the FFS organization argument (64x7 or 256x18) is omitted; the
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
40 wrapper fills that argument in before passing the command to the main tiffs
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
41 program. The only other difference is that instead of the generic -o global
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
42 option, mokoffs takes a -f global option (no argument) which indicates that one
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
43 is working with a complete flash dump image, rather than just the FFS portion;
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
44 mokoffs -f gets translated into tiffs -o0x380000. (pirffs has no such option
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
45 at all because Pirelli's FFS starts at offset 0 within its respective flash
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
46 chip select.)
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
47
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
48 The next argument after the FFS organization for tiffs (or after the image
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
49 filename for mokoffs/pirffs) is the command (or operation) to be performed.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
50 The following tiffs commands are currently available:
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
51
251
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
52 General information commands
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
53 ============================
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
54
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
55 These commands display general or summary information about the FFS image:
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
56
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
57 tiffs <...> blkhdr
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
58
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
59 This command displays the basic information contained in the header of each
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
60 flash erase block comprising the FFS image.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
61
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
62 tiffs <...> fsinfo
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
63
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
64 This command displays some general information about the file system.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
65
250
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
66 Standard listing/extraction commands
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
67 ====================================
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
68
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
69 These commands list or extract the normally-visible content of the FFS, i.e.,
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
70 the content which is visible when the FFS is "mounted" normally, and which the
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
71 FFS promises to preserve - as opposed to deleted or overwritten content.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
72
251
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
73 tiffs <...> ls [-v[v]] [pathname...]
250
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
74
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
75 Tiffs ls without additional arguments yields a listing of the complete FFS
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
76 directory tree, akin to tar tv. Example output fragment:
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
77
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
78 fr 4096 /.journal
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
79 d /gsm
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
80 d /gsm/rf
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
81 d /gsm/rf/tx
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
82 f 512 /gsm/rf/tx/ramps.900
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
83 f 128 /gsm/rf/tx/levels.900
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
84 f 128 /gsm/rf/tx/calchan.900
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
85
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
86 The first character is 'f' for files or 'd' for directories. An 'r' following
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
87 immediately afterward means that the object has the read-only attribute set.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
88 For files the listing includes the content size in bytes, and the last part is
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
89 the pathname of the object within the FFS.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
90
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
91 With a single -v option added after ls, the output will include verbose
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
92 information as to the segmentation structure of each file. With two -v options
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
93 or with -vv, this additional output will also include the byte offset of each
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
94 data chunk, relative to the beginning of the FFS image.
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
95
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
96 Tiffs ls with a pathname argument yields information about the specified FFS
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
97 object; -v and -vv options act as already described, but are arguably more
3d88461d8284 beginning of TIFFS IVA documentation
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
98 useful when listing single files.
251
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
99
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
100 tiffs <...> cat [-v|-h] pathname
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
101
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
102 Just like the standard Unix cat(1) command, but cat'ing files from the FFS image
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
103 under study. The non-standard -h option means hex dump - it is handy because
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
104 almost all files in TI's GSM device FFS are binary, rather than ASCII.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
105
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
106 tiffs <...> xtr dest-dir
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
107
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
108 This command extracts the complete content of the FFS into your ordinary Unix
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
109 file system. The sole argument is the local directory into which the root of
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
110 the GSM device FFS should be extracted.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
111
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
112 Forensic analysis commands
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
113 ==========================
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
114
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
115 Unlike the "standard" listing/extraction commands which present TIFFS as a
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
116 "normal" Unix file system, using the "forensic" commands effectively requires
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
117 that the operator understands how TIFFS works, in particular, what an inode is
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
118 in TIFFS.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
119
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
120 tiffs <...> lsino [-v[v]]
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
121
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
122 This command lists the FFS inode array from first to last; this listing order
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
123 will normally correspond to the forward chronological order of object creation.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
124 -v and -vv options add verbosity.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
125
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
126 '.' in the object type column means segment, '~' means a deleted object. The
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
127 lsino command only lists the inode array, and does not try to recover the
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
128 original type of deleted/overwritten objects from the journal or other clues.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
129 The program attempts to recover the pathname of each inode, but because such
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
130 reverse mapping from inodes to pathnames is not an operation which TIFFS was
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
131 properly designed to support, and the pathname recovery algorithm in this TIFFS
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
132 IVA tool is made as generic as possible (doesn't look at the object types), the
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
133 lsino listing will occasionally include some bogus pathnames. Once again, it
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
134 is expected that the operator knows what s/he is doing when using these forensic
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
135 commands.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
136
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
137 tiffs <...> lsino [-v[v]] [-f] ino...
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
138
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
139 This command works just like ls with an explicit pathname argument, but takes
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
140 one or more inode numbers instead. The -f option matters only if the requested
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
141 inode is in the deleted/overwritten state; it tells the lsino command to assume
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
142 that the object is/was the head inode of a file; -vf and -vvf combinations are
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
143 particularly useful.
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
144
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
145 tiffs <...> catino [-v|-h] ino
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
146
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
147 Just like regular cat, but takes an inode number instead of a pathname. Can be
63cd64625597 ffstools/Usage write-up done
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 250
diff changeset
148 used to cat the old content of deleted or overwritten files.