jcat shows the contents of a journal block in the file system journal. The inode address of the journal can be given or the default location will be used. Note that the block address is a journal block address and not a file system block. The raw output is given to STDOUT. It is a part of The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown. The volume system (media management) tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT
disks. With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.
jcat [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] image [images] [inode] blk
blk: The journal block to view jcat inode: The file system inode where the journal is located -i imgtype: The format of the image file (use '-i list' for supported types) -b dev_sector_size: The size (in bytes) of the device sectors -f fstype: File system type (use '-f list' for supported types) -o imgoffset: The offset of the file system in the image (in sectors) -v: verbose output to stderr -V: print version jcat
cyborg@cyborg:~$ sudo jcat -v /dev/sdb1 2 tsk_img_open: Type: 0 NumImg: 1 Img1: /dev/sdb1 fsopen: Auto detection mode at offset 0 raw_read: byte offset: 0 len: 65536 raw_read: byte offset: 65536 len: 65536 raw_read: byte offset: 262144 len: 65536 iso9660_open img_info: 19456768 ftype: 2048 test: 1