jnavarro.net

things i should not forget, and that, eventually, could interest people

RVT: new functions for extracting clusters

leave a comment »

Two new RVT functions have been implemented, to be released in v0.2:

  • cluster extract raw <cluster><partition>
  • cluster extract ascii <cluster><partition>

both extract one cluster from the partition specified, the first in raw format (like a direct dd), and the second, prints only printable bytes (ascii) and translate the rest to dots. The second performs an aditional hard wrap of the lines to 75 characters. The output is quite similar to that obtained with Autopsy.

Both commands accept the argument <cluster> as a number (the cluster) or two numbers separated by comma, being the first the cluster and the second the number of clusters extracted (defaults to 1).

For example, the following command extracts the clusters 2 and 3 of partition 100101-01-1-p02:

RVT  > cluster extract ascii 2,2 100101-01-1-p02
——————————————–
100101-01-1-p02, 2,2

.W..Y..[..].._..a!.cA.ea.g..i..k..m..o..q!.sA.ua.w..y..{..}……!..A..a…
…………..!..A..a……………..!..A..a……………..!..A..a……
………..!..A..a……………..!..A..a……………..!..A..a………
……..!..A..a…………… .” .B .b .. .. .. .. ..!.”!.B!.b!..!..!..!..
!..”!””#B”%b”‘.”).”+.”-.”/.#1″#3B#5b#7.#9.#;.#=.#?.$A”$CB$Eb$G.$I.$K.$M.$O.
%Q”%SB%Ub%W.%Y.%[.%].%_.&a”&cB&eb&g.&i.&k.&m.&o.’q”‘sB’ub’w.’y.'{.’}.’..(.”
(.B(.b(..(..(..(..(..).”).B).b)..)..)..)..)..*.”*.B*.b*..*..*..*..*..+.”+.B
+.b+..+..+..+..+….”..B..b……………-.”-.B-.b-..-..-..-..-….”..B..b
……………/.”/.B/.b/../../../../..0.#0.C0.c0..0..0..0..0..1.#1.C1.c1..
1..1..1..1..2!#2#C2%c2′.2).2+.2-.2/.31#33C35c37.39.3;.3=.3?.4A#4CC4Ec4G.4I.
4K.4M.4O.5Q#5SC5Uc5W.5Y.5[.5].5_.6a#6cC6ec6g.6i.6k.6m.6o.7q#7sC7uc7w.7y.7{.
7}.7..8.#8.C8.c8..8..8..8..8..9.#9.C9.c9..9..9..9..9..:.#:.C:.c:..:..:..:..
:..;.#;.C;.c;..;..;..;..;..<.#<.C<.c<..<..<..<..<..=.#=.C=.c=..=..=..=..=..
>.#>.C>.c>..>..>..>..>..?.#?.C?.c?..?..?..?..?..@

Advertisements

Written by dervitx

4 May 2009 at 19:37

Posted in digital forensics, Revealer Toolkit

Tagged with

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: