In this example, I am using the SysInternals.E01 file from CyberDefenders‘ challenge. To list all deleted and existing files of a disk image, we can use the fls command.

fls: lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode.

mmls: displays the layout of the partitions in a volume system, which include partition tables and disk labels.

Determine offset if needed #

To check the partitioning system, use mmls. If something comes out, then check my mounting guides to identify the offset of interest.

sudo mmls /mnt/ewf/ewf1

Use fls to list all existing entries
#

sudo fls -r /mnt/ewf/ewf1 > existing.txt

Use fls -d to list all deleted entries
#

sudo fls -r -d /mnt/ewf/ewf1 > deleted.txt