From SleuthKitWiki
Revision as of 09:23, 17 November 2007 by Dhawkins (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Version 2.09 Man Page


      dcat - Display the contents of disk "chunks" from a forensic image


      dcat  [-ahswvV]  [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset]
      image [images] unit_addr [num]


      dcat displays num data units (default is  one)  starting  at  the  unit
      address unit_addr from image to stdout in different formats (default is
      raw).  The image should be created using dd(1).
      The arguments are as follows:
      -a     Display the contents in ASCII
      -f     Specify image as a specific file type.  If ’swap’ is given here,
             the  image  will  be  displayed in pages of size 4096 bytes.  If
             ’raw’ is given, then 512-bytes is used as the default size.  The
             ’-u’  flag  can change the default size.  Use the -? argument to
             display supported types.  If not given, the default type for the
             platform is used.
      -h     Display the contents in hexdump
      -s     Display  statistics  on  the  image (unit size, file block size,
             and number of fragments).
      -u     Specify the size of the default data unit for raw, dls, and swap
      -i imgtype
             Identify  the  type of image file, such as raw or split.  Raw is
             the default.
      -o imgoffset
             The sector offset where the file system  starts  in  the  image.
             Non-512 byte sectors can be specified using ’@’ (32@2048).
      -v     Verbose output to stderr.
      -V     Display version.
      -w     Display the contents in an HTML table format.
      image [images]
             One  (or more if split) disk or partition images whose format is
             given with ’-i’.
             Address of the disk unit to display.  The size of a unit on this
             file system can be determined using the -s option.
      num    Number of data units to display.
      The  basic  functionality of dcat can also be achieved using dd(1).  To
      determine which inode has allocated a given unit, the ifind(1)  command
      can be used.


      # dcat -hw image 264 4
      # dcat -hw image 264


      dd(1), ifind(1)


      dcat first appeared in TCTUTILs v1.0 as bcat.


      Brian Carrier <>