Name

Synopsis

Description

Arguments

-a

Display the contents in ASCII

-f fstype

Specify image as a specific file type. If ’swap’ is given here, the image will be displayed in pages of size 4096 bytes. If ’raw’ is given, then 512-bytes is used as the default size. The ’-u’ flag can change the default size. Use ’-f list’ to list the supported file system types. If not given, autodetection methods are used.

-h

Display the contents in hexdump

-s

Display statistics on the image (unit size, file block size, flag and number of fragments).

-u unit_size

Specify the size of the default data unit for raw, blkls, and swap images.

-i imgtype

Identify the type of image file, such as raw. Use ’-i list’ to list the supported types. If not given, autodetection methods are used.

-o imgoffset

The sector offset where the file system starts in the image.

-b dev_sector_size

The size, in bytes, of the underlying device sectors. If not given, the value in the image format is used (if it exists) or 512-bytes is assumed.

-v

Verbose output to stderr.

-V

Display version.

-w

Display the contents in an HTML table format.

image [images]

The disk or partition image to read, whose format is given with ’-i’. Multiple image file names can be given if the image is split into multiple segments. If only one image file is given, and its name is the first in a sequence (e.g., as indicated by ending in ’.001’), subsequent image segments will be included automatically.

unit_addr

Address of the disk unit to display. The size of a unit on this file system can be determined using the -s option.

num

Number of data units to display.

The basic functionality of blkcat can also be achieved using dd. To determine which inode has allocated a given unit, the ifind(1) command can be used.

Examples

or

# blkcat -hw image 264

See Also

Author

Send documentation updates to <doc-updates at sleuthkit dot org>

Table of Contents

• Name
• Synopsis
• Description
• Arguments
• Examples
• See Also
• Author