jcat man page
jcat — Show the contents of a block in the file system journal.
jcat [-f fstype ] [-vV] [-i imgtype] [-o imgoffset] [-b dev_sector_size] image [images] ] [ inode ] jblk
jcat shows the contents of a journal block in the file system journal. The inode address of the journal can be given or the default location will be used. Note that the block address is a journal block address and not a file system block. The raw output is given to STDOUT.
- -f fstype
Specify the file system type. Use '-f list' to list the supported file system types. If not given, autodetection methods are used.
- -i imgtype
Identify the type of image file, such as raw. Use '-i list' to list the supported types. If not given, autodetection methods are used.
- -o imgoffset
The sector offset where the file system starts in the image.
- -b dev_sector_size
The size, in bytes, of the underlying device sectors. If not given, the value in the image format is used (if it exists) or 512-bytes is assumed.
- image [images]
The disk or partition image to read, whose format is given with '-i'. Multiple image file names can be given if the image is split into multiple segments. If only one image file is given, and its name is the first in a sequence (e.g., as indicated by ending in '.001'), subsequent image segments will be included automatically.
The inode where the file system journal can be found.
The journal block to display.
jcat -f linux-ext3 img.dd 34 | xxd
Brian Carrier <carrier at sleuthkit dot org>
Send documentation updates to <doc-updates at sleuthkit dot org>