1JCAT(1) General Commands Manual JCAT(1)
2
6 jcat - Show the contents of a block in the file system journal.
7
9 jcat [-f fstype ] [-vV] [-i imgtype] [-o imgoffset] [-b dev_sec‐
10 tor_size] image [images] ] [ inode ] jblk
11
14 jcat shows the contents of a journal block in the file system journal.
15 The inode address of the journal can be given or the default location
16 will be used. Note that the block address is a journal block address
17 and not a file system block. The raw output is given to STDOUT.
18
21 -f fstype
22 Specify the file system type. Use '-f list' to list the sup‐
23 ported file system types. If not given, autodetection methods
24 are used.
25 -i imgtype
27 Identify the type of image file, such as raw. Use '-i list' to
28 list the supported types. If not given, autodetection methods
29 are used.
30 -o imgoffset
32 The sector offset where the file system starts in the image.
33 -b dev_sector_size
35 The size, in bytes, of the underlying device sectors. If not
36 given, the value in the image format is used (if it exists) or
37 512-bytes is assumed.
38 -V Display version
40 -v verbose output
42 image [images]
44 The disk or partition image to read, whose format is given with
45 '-i'. Multiple image file names can be given if the image is
46 split into multiple segments. If only one image file is given,
47 and its name is the first in a sequence (e.g., as indicated by
48 ending in '.001'), subsequent image segments will be included
49 automatically.
50 [inode]
52 The inode where the file system journal can be found.
53 jblk The journal block to display.
56
59 jcat -f linux-ext3 img.dd 34 | xxd
60
63 Brian Carrier <carrier at sleuthkit dot org>
64 Send documentation updates to <doc-updates at sleuthkit dot org>
66 JCAT(1)