Difference between revisions of "Blkcat"
From SleuthKitWiki
(New page: Version 2.09 Man Page NAME dcat - Display the contents of disk "chunks" from a forensic image SYNOPSIS dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffse...) |
m (Reformatted) |
||
| Line 1: | Line 1: | ||
| − | + | Back to [[Help Documents]] | |
| − | + | ==dcat== | |
| − | + | Version 2.09 | |
| − | |||
| − | |||
| − | |||
| − | + | ===Purpose=== | |
| − | + | Displays num data units (default is one) starting at the unit address unit_addr from image to stdout in different formats (default is raw). The image should be created using dd(1). | |
| − | + | ||
| − | + | ||
| − | |||
| − | + | ===Usage=== | |
| − | + | dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset] image [images] unit_addr [num] | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ===Options=== | |
| − | + | {| border="1" cellpadding="5" | |
| − | + | !Switch | |
| + | !Purpose | ||
| + | |- | ||
| + | | -a || Display the contents in ASCII | ||
| + | |- | ||
| + | | -f || Specify image as a specific file type. If ’swap’ is given here, the image will be displayed in pages of size 4096 bytes. If ’raw’ is given, then 512-bytes is used as the default size. The ’-u’ flag can change the default size. Use the -? argument to display supported types. If not given, the default type for the platform is used. | ||
| + | |- | ||
| + | | -h || Display the contents in hexdump | ||
| + | |- | ||
| + | | -s || Display statistics on the image (unit size, file block size, and number of fragments). | ||
| + | |- | ||
| + | | -u || Specify the size of the default data unit for raw, dls, and swap images. | ||
| + | |- | ||
| + | | -i imgtype || Identify the type of image file, such as raw or split. Raw is the default. | ||
| + | |- | ||
| + | | -o imgoffset || The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). | ||
| + | |- | ||
| + | | -v || Verbose output to stderr. | ||
| + | |- | ||
| + | | -V || Display version. | ||
| + | |- | ||
| + | | -w || Display the contents in an HTML table format. | ||
| + | |- | ||
| + | | image [images] || One (or more if split) disk or partition images whose format is given with ’-i’. | ||
| + | |- | ||
| + | | unit_addr || Address of the disk unit to display. The size of a unit on this file system can be determined using the -s option. | ||
| + | |- | ||
| + | | num || Number of data units to display. | ||
| + | |} | ||
| − | |||
| − | |||
| − | + | ===Example=== | |
| − | + | # dcat -hw image 264 4 | |
| − | + | or | |
| + | # dcat -hw image 264 | ||
| − | |||
| − | |||
| − | |||
| − | + | ===History=== | |
| + | dcat first appeared in TCTUTILs v1.0 as bcat. | ||
| − | |||
| − | + | ===Author=== | |
| − | + | Brian Carrier <carrier@sleuthkit.org> | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
Revision as of 03:28, 18 November 2007
Back to Help Documents
dcat
Version 2.09
Purpose
Displays num data units (default is one) starting at the unit address unit_addr from image to stdout in different formats (default is raw). The image should be created using dd(1).
Usage
dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset] image [images] unit_addr [num]
Options
| Switch | Purpose |
|---|---|
| -a | Display the contents in ASCII |
| -f | Specify image as a specific file type. If ’swap’ is given here, the image will be displayed in pages of size 4096 bytes. If ’raw’ is given, then 512-bytes is used as the default size. The ’-u’ flag can change the default size. Use the -? argument to display supported types. If not given, the default type for the platform is used. |
| -h | Display the contents in hexdump |
| -s | Display statistics on the image (unit size, file block size, and number of fragments). |
| -u | Specify the size of the default data unit for raw, dls, and swap images. |
| -i imgtype | Identify the type of image file, such as raw or split. Raw is the default. |
| -o imgoffset | The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). |
| -v | Verbose output to stderr. |
| -V | Display version. |
| -w | Display the contents in an HTML table format. |
| image [images] | One (or more if split) disk or partition images whose format is given with ’-i’. |
| unit_addr | Address of the disk unit to display. The size of a unit on this file system can be determined using the -s option. |
| num | Number of data units to display. |
Example
# dcat -hw image 264 4
or
# dcat -hw image 264
History
dcat first appeared in TCTUTILs v1.0 as bcat.
Author
Brian Carrier <carrier@sleuthkit.org>
