man dcat (Commandes) - Display the contents of disk "chunks" from a forensic image
NAME
dcat - Display the contents of disk "chunks" from a forensic image
SYNOPSIS
dcat [-ahswvV] [-f fstype] [-u unit_size] [-i imgtype] [-o imgoffset] image [images] unit_addr [num]
DESCRIPTION
dcat displays num data units (default is one) starting at the unit address unit_addr from image to stdout in different formats (default is raw). The image should be created using dd(1).
The arguments are as follows:
- -a
- Display the contents in ASCII
- -f
- Specify image as a specific file type. If 'swap' is given here, the image will be displayed in pages of size 4096 bytes. If 'raw' is given, then 512-bytes is used as the default size. The '-u' flag can change the default size. Use the -? argument to display supported types. If not given, the default type for the platform is used.
- -h
- Display the contents in hexdump
- -s
- Display statistics on the image (unit size, file block size, and number of fragments).
- -u
- Specify the size of the default data unit for raw, dls, and swap images.
- -i imgtype
- Identify the type of image file, such as raw or split. Raw is the default.
- -o imgoffset
- The sector offset where the file system starts in the image. Non-512 byte sectors can be specified using '@' (32@2048).
- -v
- Verbose output to stderr.
- -V
- Display version.
- -w
- Display the contents in an HTML table format.
- image [images]
- One (or more if split) disk or partition images whose format is given with '-i'.
- unit_addr
- Address of the disk unit to display. The size of a unit on this file system can be determined using the -s option.
- num
- Number of data units to display.
The basic functionality of dcat can also be achieved using dd(1). To determine which inode has allocated a given unit, the ifind(1) command can be used.
EXAMPLES
# dcat -hw image 264 4
or
# dcat -hw image 264
SEE ALSO
HISTORY
dcat first appeared in TCTUTILs v1.0 as bcat.
AUTHOR
Brian Carrier <carrier@sleuthkit.org>