Jcat

From SleuthKitWiki
Revision as of 08:27, 17 November 2007 by Dhawkins (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Version 2.09 Man Page

NAME 

      jcat - Show the contents of a block in the file system journal.

SYNOPSIS 

      jcat  [-f fstype ] [-vV] [-i imgtype] [-o imgoffset] image [images] ] [
      inode ] jblk

DESCRIPTION 

      jcat shows the contents of a journal block in the file system  journal.
      The  inode  address of the journal can be given or the default location
      will be used.  Note that the block address is a journal  block  address
      and not a file system block.  The raw output is given to STDOUT.

      The options are as follows:

      -f ftype
             Specify the file system type.  Use -? to get a list of supported
             types.

      -i imgtype
             Identify the type of image file, such as raw or split.   Raw  is
             the default.

      -o imgoffset
             The  sector  offset  where  the file system starts in the image.
             Non-512 byte sectors can be specified using ’@’ (32@2048).

      -V     Display version

      -v     verbose output

      image  One (or more if split) disk or partition images whose format  is
             given with ’-i’.

      [inode]
             The inode where the file system journal can be found.

      jblk   The journal block to display.

EXAMPLES 

      jcat -f linux-ext3 img.dd 34 | xxd

SEE ALSO 

      dd, jls

HISTORY 

      jcat first appeared in The Sleuth Kit v1.73.

AUTHOR 

      Brian Carrier <carrier@sleuthkit.org>
Retrieved from "https://wiki.sleuthkit.org/index.php?title=Jcat&oldid=79"