Table of Contents
jcat - Show the contents of a block in the file system journal.
jcat
[-f fstype ] [-vV] [-i imgtype] [-o imgoffset] image [images] ] [ inode ] jblk
jcat shows the contents of a journal block in the file system
journal. The inode address of the journal can be given or the default
location will be used. Note that the block address is a journal block address
and not a file system block. The raw output is given to STDOUT.
- -f
fstype
- Specify the file system type. Use ’-f list’ to list the supported file
system types. If not given, autodetection methods are used.
- -i imgtype
- Identify
the type of image file, such as raw or split. Use ’-i list’ to list the supported
types. If not given, autodetection methods are used.
- -o imgoffset
- The sector
offset where the file system starts in the image. Non-512 byte sectors can
be specified using ’@’ (32@2048).
- -V
- Display version
- -v
- verbose output
- image
- One
(or more if split) disk or partition images whose format is given with
’-i’.
- [inode]
- The inode where the file system journal can be found.
- jblk
- The
journal block to display.
jcat -f linux-ext3 img.dd 34 | xxd
Brian
Carrier <carrier at sleuthkit dot org>
Table of Contents