So, I am playing around with fls and ils and the output they give for timelining.
I guess, I am not seeing when one would be more appropriate than the other. More exact, I normally have been using fls to create timelines, but am wondering if there are instances when ils would be more appropriate and useful?
Any advice and insight would be helpful.
Does this help..?
Using the 'fls' tool, the data associated with allocated and some unallocated files can be gathered. To do this requires the '-m' argument with the '-r' flag to gather all files. This needs to bedone for each partition image.
NOTE Some systems delete the link between deleted file names and meta data, such as Solaris, so only information about allocated files will be useful.Using the 'ils' tool, the data associated with unallocated meta data can
be gathered. When files are deleted, the times associated with the file are updated. Although many times we may not be able to link the original name to the meta data, it will still give some clue with respect to when activity occurred. This uses the '-m' flag of 'ils'.
From Brian Carrier's "File activity timelines" - available here