jcat man page

jcat — Show the contents of a block in the file system journal.

Synopsis

jcat [-f fstype ] [-vV] [-i imgtype] [-o imgoffset] [-b dev_sector_size] image [images] ] [ inode ] jblk

Description

jcat shows the contents of a journal block in the file system journal.  The  inode address of the journal can be given or the default location will be used.  Note that the block address is a journal block address and not a file system block.  The raw output is given to STDOUT.

Arguments

-f fstype

Specify the file system type. Use '-f list' to list the supported file system types. If not given, autodetection methods are used.

-i imgtype

Identify the type of image file, such as raw. Use '-i list' to list the supported types. If not given, autodetection methods are used.

-o imgoffset

The sector offset where the file system starts in the image.  

-b dev_sector_size

The size, in bytes, of the underlying device sectors.  If not given, the value in the image format is used (if it exists) or 512-bytes is assumed.

-V

Display version

-v

verbose output

image [images]

The disk or partition image to read, whose format is given with '-i'. Multiple image file names can be given if the image is split into multiple segments. If only one image file is given, and its name is the first in a sequence (e.g., as indicated by ending in '.001'), subsequent image segments will be included automatically.

[inode]

The inode where the file system journal can be found.

jblk

The journal block to display.  

Examples

jcat -f linux-ext3 img.dd 34 | xxd

Author

Brian Carrier <carrier at sleuthkit dot org>

Send documentation updates to <doc-updates at sleuthkit dot org>