icat opens the named image(s) and copies the file with the specified inode number to standard output. It is a part of The Sleuth Kit (previously known as TASK) (also a part of forensic toolkit in cyborg hawk ) is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown. The volume system (media management) tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT
disks. With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.
icat [-hHsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inum[-typ[-id]]
-h: Do not display holes in sparse files -r: Recover deleted file -R: Recover deleted file and suppress recovery errors -s: Display slack space at end of file -i imgtype: The format of the image file (use '-i list' for supported types) -b dev_sector_size: The size (in bytes) of the device sectors -f fstype: File system type (use '-f list' for supported types) -o imgoffset: The offset of the file system in the image (in sectors) -v: verbose to stderr -V: Print version icat
cyborg@cyborg:~$ icat -r image.dd 1 File0nidf88rnendn