File System Image information using fls

1. #Sleuthkit - tools for forensics analysis on volume and filesystem
2. #FLS Notes
3. sudo apt install sleuthkit
4.  
5. #create empty img file
6. dd bs=512 count=500 if=/dev/zero of=test.img
7.  
8. #format it as FAT file system
9. mkfs.vfat test.img
10.  
11. #check that it's formatted with file
12. file test.img
13.  
14. #mount the image
15. mkdir mnt
16. sudo mount test.img mnt
17.  
18. #create some folders and file
19. sudo mkdir mnt/folder_{1..5}/
20. sudo mkdir mnt/folder_{1..5}/subfolder_{a..c}
21. sudo touch mnt/folder_1/file_{A..G}.txt
22.  
23. #unmount img
24. sudo umount mnt
25.  
26. #list main directories
27. fls test.img
28.  
29. #list subdirectories
30. fls -r test.img
31.  
32. #list with full path name
33. fls -rp test.img
34.  
35. #Deleted files
36. sudo mount test.img mnt
37. rm mnt/folder_1/file_A.txt
38. rm mnt/folder_1/file_B.txt
39. sudo umount mnt
40.  
41. fls -rp test.img #note the * next to the deleted files
42. #list only deleted file
43. fls -rpd test.img
44.  
45. #list Only Directories
46. fls -rpD test.img
47.  
48. #list only files
49. fls -rpF test.img
50.  
51. #list only output from a directory by using its "inode" number
52. fls -rpD test.img 12
53.  
54. #list supported fstypes
55. fls -f list