jcat - Show the contents of a block in the file system
journal.
jcat [-f fstype ] [-vV] [-i imgtype] [-o
imgoffset] [-b dev_sector_size] image [images] ] [
inode ] jblk
jcat shows the contents of a journal block in the file
system journal. The inode address of the journal can be given or the default
location will be used. Note that the block address is a journal block
address and not a file system block. The raw output is given to STDOUT.
- -f fstype
- Specify the file system type. Use '-f list' to list the supported file
system types. If not given, autodetection methods are used.
- -i imgtype
- Identify the type of image file, such as raw. Use '-i list' to list the
supported types. If not given, autodetection methods are used.
- -o imgoffset
- The sector offset where the file system starts in the image.
- -b dev_sector_size
- The size, in bytes, of the underlying device sectors. If not given, the
value in the image format is used (if it exists) or 512-bytes is
assumed.
- -V
- Display version
- -v
- verbose output
- image [images]
- The disk or partition image to read, whose format is given with '-i'.
Multiple image file names can be given if the image is split into multiple
segments. If only one image file is given, and its name is the first in a
sequence (e.g., as indicated by ending in '.001'), subsequent image
segments will be included automatically.
- [inode]
- The inode where the file system journal can be found.
- jblk
- The journal block to display.
jcat -f linux-ext3 img.dd 34 | xxd
Brian Carrier <carrier at sleuthkit dot org>
Send documentation updates to <doc-updates at sleuthkit dot
org>