There are several required and optional arguments. The image file names must be specified each time:
image [images]
The disk or partition image to read, whose format is given with '-i'. Multiple image file names
can be given if the image is split into multiple segments. If only one image file is given, and
its name is the first in a sequence (e.g., as indicated by ending in '.001'), subsequent image
segments will be included automatically.
You must also specify what you are looking for and include one of the following:
-d data_unit
Finds the meta data structure that has allocated a given data unit (block, cluster, etc.)
-n file
Finds the meta data structure that is pointed to by the given file name.
-p par_inode
Finds the unallocated MFT entries in an NTFS image that have the given inode as the parent. Can
be used with '-l and -z'.
There are also several optional arguments:
-a Find all meta-data structures (only works when looking with a data_unit).
-f fstype
Specify the file system type. Use '-f list' to list the supported file system types. If not
given, autodetection methods are used.
-l List the details of each file found with '-p', like 'fls -l'.
-i imgtype
Identify the type of image file, such as raw. Use '-i list' to list the supported types. If not
given, autodetection methods are used.
-o imgoffset
The sector offset where the file system starts in the image.
-b dev_sector_size
The size, in bytes, of the underlying device sectors. If not given, the value in the image format
is used (if it exists) or 512-bytes is assumed.
-v Verbose output to stderr.
-V Display version.
-z ZONE
If '-p -l' were given, this will set the timezone for the correct times.