Sunday, October 18, 2009

Quick shell script to extract the contents of an image

- assuming TSK is installed, the image "image.dd" is in the local directory, and a directory "files" exists for the extracts. Change the offset and disk type to suit. This particular image was a 1GB FAT16 USB drive image.

# for i in `fls -Dr -m / -f fat -o 63 image.dd | grep -v ".Trash" | grep -v "(deleted)" | cut -f 2 -d"|"`; do mkdir files/$i; done

# for i in `fls -Fr -m / -f fat -o 63 image.dd | grep -v ".Trash" | grep -v "(deleted)" | cut -d "|" -f 2,4`; do echo $i; icat -o 63 -f fat image.dd `echo $i | cut -d "|" -f 2` > files/`echo $i | cut -d "|" -f 1`; done

No comments: