search for: blkcat

blkcat allows to extract files given their data units (clusters for NTFS, fragments for ExtX). This API allows to recover files which icat cannot. For example icat often fails retrieving deleted files on Ext3/Ext4 filesystems. As this API works at data unit level, some garbage at the beginning or at the...

The blkls API downloads on the host a range of unallocated blocks on the virtual disk image. This allows to recover deleted data on filesystems where icat fails. Example: guestfish --ro -a /home/noxdafox/ubuntu.qcow2 ><fs> run ><fs> mount /dev/sda1 / ><fs> write /test.txt "$foo$bar$" ><fs> rm /test.txt ><fs> umount / ><fs> blkls

...refix all the forensics APIs with tsk_ as TSK (The Sleuth Kit) is the main tool used for implementing them. Other option could be giving generic names allowing us to change underlying tools without the need of deprecating the old APIs. Examples so far: * icat * tsk_icat * download_inode * blkcat * tsk_blkcat * download_blocks * blkls * tsk_blkls * download_unused_blocks * ffind * tsk_ffind * find_inode ... If we come to some final decision before the next stable release, I'll be glad to rename all the functions accordingly. Signed-off-by: Matteo Cafasso <noxda...

The filesystem_walk API parses the FS internals of a partition and returns a list of all the files and directories contained within. It list deleted files and directories as well. For each node, it reports its relative path, its inode and its allocation status. This is the end user API for inspecting a disk partition content. The command can handle filenames with special characters. Example

The filesystem_walk0 API parses the FS internals of a partition and returns a list of all the files and directories contained within. It list deleted files and directories as well. For each node, it reports its relative path, its inode and its allocation status. The output is serialised in XDR format and written to the given file. The command is similar to The Sleuth Kit "fls -rp