Difference between revisions of "Blkcat"

From SleuthKitWiki
Jump to: navigation, search
(New page: Version 2.09 Man Page NAME dcat - Display the contents of disk "chunks" from a forensic image SYNOPSIS dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffse...)
 
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Version 2.09 Man Page
+
Back to [[Help Documents]]
  
NAME
+
blkcat is used to output the contents of a specific [[data unit]] in a file system.  It takes a data unit address as input and outputs the contents to STDOUT. It used to be called dcat.
      dcat - Display the contents of disk "chunks" from a forensic image
+
  
SYNOPSIS
+
* [http://www.sleuthkit.org/sleuthkit/man/blkcat.html Automatically Updated man Page]
      dcat  [-ahswvV]  [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset]
+
      image [images] unit_addr [num]
+
 
+
DESCRIPTION
+
      dcat displays num data units (default is  one)  starting  at  the  unit
+
      address unit_addr from image to stdout in different formats (default is
+
      raw).  The image should be created using dd(1).
+
 
+
      The arguments are as follows:
+
 
+
      -a    Display the contents in ASCII
+
 
+
      -f    Specify image as a specific file type. If ’swap’ is given here,
+
              the  image  will  be  displayed in pages of size 4096 bytes. If
+
              ’raw’ is given, then 512-bytes is used as the default size. The
+
              ’-u’  flag  can change the default size.  Use the -? argument to
+
              display supported types.  If not given, the default type for the
+
              platform is used.
+
 
+
      -h    Display the contents in hexdump
+
 
+
      -s    Display  statistics  on  the  image (unit size, file block size,
+
              and number of fragments).
+
 
+
      -u    Specify the size of the default data unit for raw, dls, and swap
+
              images.
+
 
+
      -i imgtype
+
              Identify  the  type of image file, such as raw or split.  Raw is
+
              the default.
+
 
+
      -o imgoffset
+
              The sector offset where the file system  starts  in  the  image.
+
              Non-512 byte sectors can be specified using ’@’ (32@2048).
+
 
+
      -v    Verbose output to stderr.
+
 
+
      -V    Display version.
+
 
+
      -w    Display the contents in an HTML table format.
+
 
+
      image [images]
+
              One  (or more if split) disk or partition images whose format is
+
              given with ’-i’.
+
 
+
      unit_addr
+
              Address of the disk unit to display.  The size of a unit on this
+
              file system can be determined using the -s option.
+
 
+
      num    Number of data units to display.
+
 
+
      The  basic  functionality of dcat can also be achieved using dd(1).  To
+
      determine which inode has allocated a given unit, the ifind(1)  command
+
      can be used.
+
 
+
EXAMPLES
+
      # dcat -hw image 264 4
+
 
+
      or
+
 
+
      # dcat -hw image 264
+
 
+
SEE ALSO
+
      dd(1), ifind(1)
+
 
+
HISTORY
+
      dcat first appeared in TCTUTILs v1.0 as bcat.
+
 
+
AUTHOR
+
      Brian Carrier <carrier@sleuthkit.org>
+

Latest revision as of 06:48, 4 January 2010

Back to Help Documents

blkcat is used to output the contents of a specific data unit in a file system. It takes a data unit address as input and outputs the contents to STDOUT. It used to be called dcat.