|
|
| (4 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| − | Version 2.09 Man Page
| + | Back to [[Help Documents]] |
| | | | |
| − | NAME
| + | blkcat is used to output the contents of a specific [[data unit]] in a file system. It takes a data unit address as input and outputs the contents to STDOUT. It used to be called dcat. |
| − | dcat - Display the contents of disk "chunks" from a forensic image
| + | |
| | | | |
| − | SYNOPSIS
| + | * [http://www.sleuthkit.org/sleuthkit/man/blkcat.html Automatically Updated man Page] |
| − | dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset]
| + | |
| − | image [images] unit_addr [num]
| + | |
| − | | + | |
| − | DESCRIPTION
| + | |
| − | dcat displays num data units (default is one) starting at the unit
| + | |
| − | address unit_addr from image to stdout in different formats (default is
| + | |
| − | raw). The image should be created using dd(1).
| + | |
| − | | + | |
| − | The arguments are as follows:
| + | |
| − | | + | |
| − | -a Display the contents in ASCII
| + | |
| − | | + | |
| − | -f Specify image as a specific file type. If ’swap’ is given here,
| + | |
| − | the image will be displayed in pages of size 4096 bytes. If
| + | |
| − | ’raw’ is given, then 512-bytes is used as the default size. The
| + | |
| − | ’-u’ flag can change the default size. Use the -? argument to
| + | |
| − | display supported types. If not given, the default type for the
| + | |
| − | platform is used.
| + | |
| − | | + | |
| − | -h Display the contents in hexdump
| + | |
| − | | + | |
| − | -s Display statistics on the image (unit size, file block size,
| + | |
| − | and number of fragments).
| + | |
| − | | + | |
| − | -u Specify the size of the default data unit for raw, dls, and swap
| + | |
| − | images.
| + | |
| − | | + | |
| − | -i imgtype
| + | |
| − | Identify the type of image file, such as raw or split. Raw is
| + | |
| − | the default.
| + | |
| − | | + | |
| − | -o imgoffset
| + | |
| − | The sector offset where the file system starts in the image.
| + | |
| − | Non-512 byte sectors can be specified using ’@’ (32@2048).
| + | |
| − | | + | |
| − | -v Verbose output to stderr.
| + | |
| − | | + | |
| − | -V Display version.
| + | |
| − | | + | |
| − | -w Display the contents in an HTML table format.
| + | |
| − | | + | |
| − | image [images]
| + | |
| − | One (or more if split) disk or partition images whose format is
| + | |
| − | given with ’-i’.
| + | |
| − | | + | |
| − | unit_addr
| + | |
| − | Address of the disk unit to display. The size of a unit on this
| + | |
| − | file system can be determined using the -s option.
| + | |
| − | | + | |
| − | num Number of data units to display.
| + | |
| − | | + | |
| − | The basic functionality of dcat can also be achieved using dd(1). To
| + | |
| − | determine which inode has allocated a given unit, the ifind(1) command
| + | |
| − | can be used.
| + | |
| − | | + | |
| − | EXAMPLES
| + | |
| − | # dcat -hw image 264 4
| + | |
| − | | + | |
| − | or
| + | |
| − | | + | |
| − | # dcat -hw image 264
| + | |
| − | | + | |
| − | SEE ALSO
| + | |
| − | dd(1), ifind(1)
| + | |
| − | | + | |
| − | HISTORY
| + | |
| − | dcat first appeared in TCTUTILs v1.0 as bcat.
| + | |
| − | | + | |
| − | AUTHOR
| + | |
| − | Brian Carrier <carrier@sleuthkit.org>
| + | |
