File: dcat.1

package info (click to toggle)
sleuthkit 2.06-3etch1
  • links: PTS
  • area: main
  • in suites: etch
  • size: 7,128 kB
  • ctags: 5,133
  • sloc: ansic: 41,406; sh: 14,123; perl: 4,745; cpp: 4,297; makefile: 925; python: 29
file content (84 lines) | stat: -rw-r--r-- 2,191 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
.\" Process this file with
.\" groff -man -Tascii foo.1
.\"
.TH DCAT 1 "JAN 2005" "User Manuals"
.SH NAME
dcat \- Display the contents of disk "chunks" from a forensic image
.SH SYNOPSIS
.B dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset] image [images] unit_addr [num]

.SH DESCRIPTION
.B dcat
displays 
.B num 
data units (default is one) starting at the unit address
.B unit_addr
from
.B image
to stdout in different formats (default is raw).
The image should be created using
.BR dd(1).

The arguments are as follows:
.IP -a
Display the contents in ASCII
.IP -f fstype
Specify image as a specific file type.  If 'swap' is given
here, the image will be displayed in pages of size 4096 bytes.  If 'raw'
is given, then 512-bytes is used as the default size.  The '-u' flag
can change the default size.  Use the
-? argument to display supported types.
If not given, the default type for the platform is used.
.IP -h  
Display the contents in hexdump 
.IP -s
Display statistics on the image (unit size, file block size,  \
and number of fragments).
.IP -u unit_size
Specify the size of the default data unit for raw, dls, and swap 
images.
.IP "-i imgtype"
Identify the type of image file, such as raw or split.  Raw is the default.
.IP "-o imgoffset"
The sector offset where the file system starts in the image.  Non-512 byte
sectors can be specified using '@' (32@2048).
.IP -v
Verbose output to stderr.
.IP -V
Display version.
.IP -w  
Display the contents in an HTML table format.  
.IP "image [images]"
One (or more if split) disk or partition images whose format is given with '-i'.
.IP unit_addr
Address of the disk unit to display.  The size of a unit on this 
file system can be determined using the -s option.  
.IP num 
Number of data units to display.

.PP
The basic functionality of 
.B dcat
can also be achieved using
.BR dd(1).
To determine which inode has allocated
a given unit, the 
.BR ifind(1)
command can be used.

.SH EXAMPLES
# dcat \-hw image 264 4

or 

# dcat \-hw image 264 

.SH "SEE ALSO"
.BR dd (1),
.BR ifind (1)

.SH HISTORY
.BR "dcat" " first appeared in " "TCTUTILs" " v1.0 as " "bcat."

.SH AUTHOR
Brian Carrier <carrier@sleuthkit.org>