Difference between revisions of "Blkcat"

From SleuthKitWiki
Jump to: navigation, search
(New page: Version 2.09 Man Page NAME dcat - Display the contents of disk "chunks" from a forensic image SYNOPSIS dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffse...)
 
m (Reformatted)
Line 1: Line 1:
Version 2.09 Man Page
+
Back to [[Help Documents]]
  
NAME
+
==dcat==
      dcat - Display the contents of disk "chunks" from a forensic image
+
Version 2.09
  
SYNOPSIS
 
      dcat  [-ahswvV]  [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset]
 
      image [images] unit_addr [num]
 
  
DESCRIPTION
+
===Purpose===
      dcat displays num data units (default is  one)  starting  at  the  unit
+
Displays num data units (default is  one)  starting  at  the  unit address unit_addr from image to stdout in different formats (default is raw).  The image should be created using dd(1).
      address unit_addr from image to stdout in different formats (default is
+
      raw).  The image should be created using dd(1).
+
  
      The arguments are as follows:
 
  
      -a    Display the contents in ASCII
+
===Usage===
  
      -f    Specify image as a specific file type.  If ’swap’ is given here,
+
  dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset] image [images] unit_addr [num]
              the  image  will  be  displayed in pages of size 4096 bytes. If
+
              ’raw’ is given, then 512-bytes is used as the default size. The
+
              ’-u’  flag  can change the default size.  Use the -? argument to
+
              display supported types.  If not given, the default type for the
+
              platform is used.
+
  
      -h    Display the contents in hexdump
+
===Options===
  
      -s     Display  statistics  on  the  image (unit size, file block size,
+
{| border="1" cellpadding="5"
              and number of fragments).
+
!Switch
 +
!Purpose
 +
|-
 +
| -a || Display the contents in ASCII
 +
|-
 +
| -f || Specify image as a specific file type.  If ’swap’ is given here, the  image  will  be  displayed in pages of size 4096 bytes.  If ’raw’ is given, then 512-bytes is used as the default size.  The ’-u’  flag  can change the default size.  Use the -? argument to display supported types.  If not given, the default type for the platform is used.
 +
|-
 +
| -h || Display the contents in hexdump
 +
|-
 +
| -s || Display  statistics  on  the  image (unit size, file block size, and number of fragments).
 +
|-
 +
| -u || Specify the size of the default data unit for raw, dls, and swap images.
 +
|-
 +
| -i imgtype || Identify  the  type of image file, such as raw or split.  Raw is the default.
 +
|-
 +
| -o imgoffset || The sector offset where the file system  starts  in  the  image.  Non-512 byte sectors can be specified using ’@’ (32@2048).
 +
|-
 +
| -v || Verbose output to stderr.
 +
|-
 +
| -V || Display version.
 +
|-
 +
| -w || Display the contents in an HTML table format.
 +
|-
 +
| image [images] || One  (or more if split) disk or partition images whose format is given with ’-i’.
 +
|-
 +
| unit_addr || Address of the disk unit to display.  The size of a unit on this file system can be determined using the -s option.
 +
|-
 +
| num || Number of data units to display.
 +
|}
  
      -u    Specify the size of the default data unit for raw, dls, and swap
 
              images.
 
  
      -i imgtype
+
===Example===
              Identify the  type of image file, such as raw or split.  Raw is
+
  # dcat -hw image 264 4
              the default.
+
or
 +
# dcat -hw image 264
  
      -o imgoffset
 
              The sector offset where the file system  starts  in  the  image.
 
              Non-512 byte sectors can be specified using ’@’ (32@2048).
 
  
      -v    Verbose output to stderr.
+
===History===
 +
dcat first appeared in TCTUTILs v1.0 as bcat.
  
      -V    Display version.
 
  
      -w    Display the contents in an HTML table format.
+
===Author===
 
+
Brian Carrier <carrier@sleuthkit.org>
      image [images]
+
              One  (or more if split) disk or partition images whose format is
+
              given with ’-i’.
+
 
+
      unit_addr
+
              Address of the disk unit to display.  The size of a unit on this
+
              file system can be determined using the -s option.
+
 
+
      num    Number of data units to display.
+
 
+
      The  basic  functionality of dcat can also be achieved using dd(1).  To
+
      determine which inode has allocated a given unit, the ifind(1)  command
+
      can be used.
+
 
+
EXAMPLES
+
      # dcat -hw image 264 4
+
 
+
      or
+
 
+
      # dcat -hw image 264
+
 
+
SEE ALSO
+
      dd(1), ifind(1)
+
 
+
HISTORY
+
      dcat first appeared in TCTUTILs v1.0 as bcat.
+
 
+
AUTHOR
+
      Brian Carrier <carrier@sleuthkit.org>
+

Revision as of 04:28, 18 November 2007

Back to Help Documents

dcat

Version 2.09


Purpose

Displays num data units (default is one) starting at the unit address unit_addr from image to stdout in different formats (default is raw). The image should be created using dd(1).


Usage

dcat [-ahswvV]  [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset] image [images] unit_addr [num]

Options

Switch Purpose
-a Display the contents in ASCII
-f Specify image as a specific file type. If ’swap’ is given here, the image will be displayed in pages of size 4096 bytes. If ’raw’ is given, then 512-bytes is used as the default size. The ’-u’ flag can change the default size. Use the -? argument to display supported types. If not given, the default type for the platform is used.
-h Display the contents in hexdump
-s Display statistics on the image (unit size, file block size, and number of fragments).
-u Specify the size of the default data unit for raw, dls, and swap images.
-i imgtype Identify the type of image file, such as raw or split. Raw is the default.
-o imgoffset The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048).
-v Verbose output to stderr.
-V Display version.
-w Display the contents in an HTML table format.
image [images] One (or more if split) disk or partition images whose format is given with ’-i’.
unit_addr Address of the disk unit to display. The size of a unit on this file system can be determined using the -s option.
num Number of data units to display.


Example

# dcat -hw image 264 4

or

# dcat -hw image 264


History

dcat first appeared in TCTUTILs v1.0 as bcat.


Author

Brian Carrier <carrier@sleuthkit.org>