icat

icat [-b blk_size] [-f fstype] [-s sector_size] [-h] [-v] image [images]... inode_num

-b blk_size
    Specifies the block size of the file system in bytes. This option is rarely needed as icat can usually autodetect the correct block size from the file system metadata.

-f fstype
    Specifies the file system type. The default is auto, which attempts to autodetect the type. Alternatively, you can explicitly specify types like ext2, ext3, ntfs, fat, etc., especially if autodetection fails.

-s sector_size
    Specifies the sector size of the disk image in bytes. Similar to block size, this is often automatically detected and rarely needs to be set manually.

-h
    Displays a brief help message with command usage and exits.

-v
    Enables verbose output, providing more detailed information about the processing, errors, and the progress of the file extraction.

image
    The path to the disk image file (e.g., .dd, .raw, .E01) or raw block device from which to extract the file. Multiple image files can be specified if the forensic image is split into segments.

inode_num
    The inode number of the file whose content is to be extracted. This is a mandatory argument and must be obtained through prior analysis using other TSK tools like fls or ils.

icat (Inode CAT) is a command-line utility that is a core component of The Sleuth Kit (TSK), a leading collection of open-source digital forensics tools. Unlike the standard cat command, which displays file contents from an active filesystem, icat is designed specifically to extract the raw data stream of a file directly from a disk image, given its specific inode number.

This capability is indispensable in digital forensic investigations. It allows analysts to recover specific files from damaged, unmounted, or forensically acquired disk images without altering the original evidence. icat supports a wide range of file system types, including ext2, ext3, ext4, NTFS, and FAT. It enables examination of file contents even if metadata like file names or directory structures are corrupted, as long as the inode structure points to valid data blocks. To use icat effectively, a prior analysis (e.g., using fls or ils from TSK) is typically required to determine the target file's inode number.

icat is a specialized utility included with The Sleuth Kit (TSK) and is not installed by default on most Linux distributions. It must be installed separately (e.g., using your distribution's package manager like apt install sleuthkit or yum install sleuthkit).

It operates exclusively on disk images or raw block devices, not on live, mounted file systems. The inode number, which is crucial for its operation, must typically be obtained beforehand using other TSK tools such as fls (to list file names and their corresponding inode numbers) or ils (to inspect detailed inode information).

The extracted file content is sent to standard output (stdout). To save the content to a file, it is essential to redirect the output using shell redirection operators, for example:
icat image.dd 12345 > recovered_document.pdf

icat is highly valuable in digital forensics because it allows investigators to bypass common obstacles like file system corruption, deleted entries, or broken directory structures. By targeting the inode directly, it can retrieve the raw data associated with a file, often uncovering critical evidence that would otherwise be inaccessible through conventional file system navigation.

icat is a foundational utility within The Sleuth Kit (TSK), a comprehensive suite of open-source command-line tools for digital forensics. TSK was initially developed by Brian Carrier, beginning around 2001, as a successor to The Coroner's Toolkit (TCT). Since its inception, icat has been a vital component of TSK, providing the essential capability to extract file data directly from raw or forensic disk images based on inode references, a critical function for evidence recovery and detailed analysis in forensic investigations.

fls(1), ils(1), fsstat(1), blkcat(1), img_cat(1), cat(1)