Jcat
From SleuthKitWiki
Back to Help Documents
jcat
Version 2.09
Purpose
Shows the contents of a journal block in the file system journal. The inode address of the journal can be given or the default location will be used. Note that the block address is a journal block address and not a file system block. The raw output is given to STDOUT.
Usage
jcat [-f fstype ] [-vV] [-i imgtype] [-o imgoffset] image [images] ] [inode] jblk
Options
| Switch | Purpose |
|---|---|
| -f ftype | Specify the file system type. Use -? to get a list of supported types. |
| -i imgtype | Identify the type of image file, such as raw or split. Raw is the default. |
| -o imgoffset | The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using ’@’ (32@2048). |
| -V | Display version |
| -v | verbose output |
| image | One (or more if split) disk or partition images whose format is given with ’-i’. |
| [inode] | The inode where the file system journal can be found. |
| jblk | The journal block to display. |
Example
No example available.
History
jcat first appeared in The Sleuth Kit v1.73.
Author
Brian Carrier <carrier@sleuthkit.org>
