icat opens the named image(s) and copies the file with the specified inode number to standard output. It is a part of The Sleuth Kit (previously known as TASK) (also a part of forensic toolkit in cyborg hawk ) is a collection of UNIX-based command  line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive  fashion. Because the tools do not rely on the operating system to process the  file systems, deleted and hidden content is shown. The volume system (media management) tools allow you to examine the layout of  disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions  (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT
disks. With these tools, you can identify where partitions are located and  extract them so that they can be analyzed with file system analysis tools.




icat [-hHsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inum[-typ[-id]]


        -h: Do not display holes in sparse files
	-r: Recover deleted file
	-R: Recover deleted file and suppress recovery errors
	-s: Display slack space at end of file
	-i imgtype: The format of the image file (use '-i list' for supported types)
	-b dev_sector_size: The size (in bytes) of the device sectors
	-f fstype: File system type (use '-f list' for supported types)
	-o imgoffset: The offset of the file system in the image (in sectors)
	-v: verbose to stderr
	-V: Print version icat 


cyborg@cyborg:~$ icat -r image.dd 1

Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?