Difference between revisions of "Blkcalc"

From SleuthKitWiki
Jump to: navigation, search
m (Reformatted)
(Added data units link)
 
(3 intermediate revisions by one user not shown)
Line 1: Line 1:
 
Back to [[Help Documents]]
 
Back to [[Help Documents]]
  
==dcalc==
+
blkcalc is used to map between the output of [[blkls]] and the original file system [[data unit]]s. blkls can be used to extract the  unallocated [[data unit]]s from a file system.  Once data is found in the unallocated data though, you may want to know where the data was in the original file system.  blkcalc is used for that. blkcalc used to be called dcalc.
Version 2.09
+
  
 
+
* [http://www.sleuthkit.org/sleuthkit/man/blkcalc.html Automatically Updated man Page]
===Purpose===
+
Creates a disk unit number mapping between two images, one normal and another that only contains the unallocated units of the first (the default behavior of the dls(1) program). One of the -d, -s, or -u value is the disk unit address in the regular image (i.e. from dd(1) ).  If the unit is unallocated, its address in an unallocated image is given. If the -u option is given, then the unit_addr value is the disk unit address in the unallocated unit image (i.e. from dls(1) ). Its disk unit address in the original image is determined. If the -s option is given, then the unit_addr value is the disk unit address in the slack image (i.e. from dls -s). The image is the full, original image (i.e. from dd(1)).
+
 
+
 
+
===Usage===
+
dcalc [-dsu unit_addr] [-vV] [-i imgtype] [-o imgoffset] [-f fstype] image [images]
+
 
+
 
+
===Options===
+
 
+
{| border="1" cellpadding="5"
+
!Switch
+
!Purpose
+
|-
+
| -f fstype || Identify the File System type of the image. Use the -? argument for a list of supported file system types. If not given, the default type for the platform is used.
+
|-
+
| -i imgtype || Identify the type of image file, such as raw or split. Raw is the default.
+
|-
+
| -o imgoffset || The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048)
+
|-
+
| -v || Verbose output to STDERR.
+
|-
+
| -V || Display version.
+
|}
+
 
+
 
+
===Example===
+
# dcalc -u 64 images/wd0e
+
 
+
 
+
===History===
+
dcalc first appeared in TCTUTILs v1.01. as blockcalc.
+
 
+
 
+
===Author===
+
Brian Carrier <carrier@sleuthkit.org>
+

Latest revision as of 07:50, 4 January 2010

Back to Help Documents

blkcalc is used to map between the output of blkls and the original file system data units. blkls can be used to extract the unallocated data units from a file system. Once data is found in the unallocated data though, you may want to know where the data was in the original file system. blkcalc is used for that. blkcalc used to be called dcalc.