fls

fls is a command-line tool used for forensic analysis of file systems. It stands for File System Layer and is a part of The Sleuth Kit, a popular open-source forensic toolkit. fls is designed to extract information about files and directories from various file systems, including common ones like FAT, NTFS, and EXT. It allows forensic investigators to gather vital information about a system, such as file names, timestamps, and file allocation details. The tool uses the inode-based approach to retrieve metadata associated with files, directories, and other file system objects. It can be used to extract information from a live system or examine disk images obtained during forensic investigations. fls outputs information in a format that can be easily parsed and reviewed by forensic analysts. It supports various output formats, including body file format, CSV, and mactime format. It includes options to specify time thresholds, enabling investigators to filter files based on the last access, creation, or modification times. Additionally, fls can also output additional information, such as file paths and MD5 hashes, by utilizing additional Sleuth Kit tools.