Table of Contents
jcat - Show the contents of a block in the file system journal.
jcat
[-f fstype ] [-vV] [-i imgtype] [-o imgoffset] [-b dev_sector_size] image [images]
] [ inode ] jblk
jcat shows the contents of a journal block
in the file system journal. The inode address of the journal can be given
or the default location will be used. Note that the block address is a
journal block address and not a file system block. The raw output is given
to STDOUT.
- -f fstype
- Specify the file system type. Use ’-f list’ to
list the supported file system types. If not given, autodetection methods
are used.
- -i imgtype
- Identify the type of image file, such as raw. Use ’-i list’
to list the supported types. If not given, autodetection methods are used.
- -o imgoffset
- The sector offset where the file system starts in the image.
- -b dev_sector_size
- The size, in bytes, of the underlying device sectors.
If not given, the value in the image format is used (if it exists) or
512-bytes is assumed.
- -V
- Display version
- -v
- verbose output
- image [images]
- The
disk or partition image to read, whose format is given with ’-i’. Multiple
image file names can be given if the image is split into multiple segments.
If only one image file is given, and its name is the first in a sequence
(e.g., as indicated by ending in ’.001’), subsequent image segments will be
included automatically.
- [inode]
- The inode where the file system journal can
be found.
- jblk
- The journal block to display.
jcat -f linux-ext3
img.dd 34 | xxd
Brian Carrier <carrier at sleuthkit dot org>
Send documentation
updates to <doc-updates at sleuthkit dot org>
Table of Contents