icat

Recover file content from disk image

SYNOPSIS

icat [-b bsize] [-e EncPkg] [-f fstype] [-h] [-m] [-o offset] [-P] [-R] [-V] [-v] [-z case] [-s] image1 [imageN] inode

-b bsize
    Size of device blocks in bytes (default: 512)

-e EncPkg
    Name of decryption package for encrypted images

-f fstype
    Force filesystem type (e.g., dos, ntfs, ext2fs, ufs)

-h
    Print usage help

-m
    Extract only file metadata (no content)

-o offset
    Byte offset to image start (default: 0)

-P
    Preserve full path translation

-R
    Recurse into unallocated directories

-V
    Verbose directory entry listing

-v
    Verbose output to stderr

-z case
    EnCase case name for EWF images

-s
    Sparsify output (omit empty sectors)

DESCRIPTION

icat is a command-line tool from The Sleuth Kit (TSK), essential for digital forensics. It extracts the raw contents of a file directly from a disk image, device, or volume by specifying the file's inode number, ignoring filesystem metadata, permissions, and structure.

This makes it invaluable for recovering deleted, fragmented, or unallocated files. Output goes to stdout, perfect for redirection (> file) or piping. It supports multiple filesystems including FAT, NTFS, Ext2/3, UFS, and HFS+, with auto-detection or manual override.

Common workflow: Use fls to find inodes, istat for metadata, then icat for data extraction. Options handle split images, offsets, encryption, and sparse files. Verbose modes assist debugging. While powerful, it outputs only data blocks—no attributes preserved.

Ideal for investigations, incident response, and data carving, icat ensures bit-accurate copies without filesystem interference, aiding integrity verification via hashes.

icat

Recover file content from disk image

SYNOPSIS

PARAMETERS

DESCRIPTION

CAVEATS

BASIC EXAMPLE

FIND INODE FIRST

HISTORY

SEE ALSO