Explore how the tool icat within "The Coroner's Toolkit" can be used
to recover a deleted file from a unix system. Detail the commands that
you would use. (Approximately 1 page answer)

I need to answer this for an assignment

Here is a variety of information regarding icat, including commands
and code to use it to recover a deleted file.  I hope you find it
useful.  Thank you for your generous tip on my previous answer.

Sincerely,

Wonko

icat, which copies a file by inode number, is part of the grave-robber
module of The Coroner's Toolkit.  Grave-robber is the main data
gathering program.  icat can be run by itself.  Alternatively, it is
accessed by grave-robber, along with many other modules, if
grave-robber is run.

One of the directories created after running grave-robber is "removed_but_running/
This directory contains all deleted files that were still open or
running when the grave-robber ran. (Done by a combination of ils &
icat)."

"The Coroner's Toolkit" by Noel, August 3, 2000, RootPrompt.org
http://rootprompt.org/article.php3?article=738

icat lists information about inodes and their contents.  The command
icat device inode displays the contents of allocated blocks for the
inode.

"Tools" http://www.net.ohio-state.edu/security/talks/2001/2001-08_forensic-computer-investigations/slides/06-tools.ppt

Here is a list of icat commands from the manual for The Coroner's
Toolkit: "ICAT" http://staff.washington.edu/dittrich/talks/blackhat/tct/man/man1/icat.1.html

"Freeware Forensics Tools for Unix" by Derek Cheng, SecurityFocus,
November 1, 2001 http://www.securityfocus.com/printable/infocus/1503
provides a procedure for "Working with the Disk Image" to collect data
using grave-robber, including icat (see Step 3).  This appears to be
the set of commands that you need.  icat needs the inode numbers of
deleted files provided by ils to function.

"1.  Use grave-robber to collect information from the disk image. 
	# cd /usr/local/tct-1.07/bin
	# ./grave-robber -c /mnt/forensics/root -o LINUX2 -MivVt

-M: 	Performs an MD5sum of all files and collects inode MACtimes
-i:	Collects inode information from unallocated portions of the image
-v:	Performs in verbose mode
-V: 	Gathers the major and minor numbers from /dev
-t: 	Gathers trust information
The results are stored in /usr/local/tct-1.07/data/host.domain, where
host.domain is the fully qualified domain name of your system.

2.  Use ils to list inode information and collect inodes of deleted files. 
	# cd /usr/local/tct-1.07/bin
	# ./ils -rf ext2fs /image/dev_hda1.img

-r:		Lists inode numbers of deleted files
-f ext2fs: 	Declares you are working with the Linux file system
	
3.  Use icat to copy files by inode number (particularly the inode
number of a deleted file.)
	# cd /usr/local/tct-1.07/bin
	# ./icat -hf extfs /image/dev_hda1.img [an inode number from the ils
-rf command in Step 2 (the referenced web page has Step 4, but I think
that is erroneous because the ils -rf command is used in Step 2)]

	-h:		Skips over any holes in the file
-f ext2fs: 	Declares that you are working with the Linux file system	
To recover all of the deleted files on the image into /tmp/deleted 
	# mkdir /tmp/deleted
	# cd /usr/local/tct-1.07/bin
	# ./ils -rf ext2fs /image/dev_hda1.img | awk -F '|' '($2=="f") {print $1}' | 
while read i; do /usr/local/tct-1.07/bin/icat /image/dev_hda1.img $i >
/tmp/deleted/$i; done
(Credit for this code goes to Thomas Roessler
<http://project.honeynet.org/scans/scan15/proj/t/>

4.  Use file to classify and determine the file types of recovered files. 

	# cd /usr/local/tct-1.07/bin
	# ./file /tmp/deleted/*

5.  Use unrm to collect all of the unallocated disk space of a
partition. Note: Never collect the output on the same file system that
you are analyzing, otherwise you will write over your own data.
	# cd /usr/local/tct-1.07/bin
	# ./unrm /image/dev_hda1.img > hda1_unrm.results

6.  Use lazarus to analyze the raw data collected from unrm and
attempt to classify what type of data it contains. Note: Depending on
the size of the file, lazarus can take many hours to complete.
	# cd /usr/local/tct-1.07/bin
	# ./lazarus -h /image/hda_unrm.results

-h:	Produces an HTML report
The output is stored in two directories, a www directory and a blocks
directory. The HTML file created is called
hda_unrm.results.frame.html.

7.  Using mactime, we can determine which files have been Modified,
Accessed, or Created (MAC) during a specified time window.
To create a file system timeline activity report for all files
starting from the MACtime of 4/01/2001:
	# cd /usr/local/tct-1.07/bin
	# ./grave-robber -m /mnt/forensics/root
	# ./mactime 4/01/2001 | less

		-m:	Collects MACtimes"

Do u work in security field? Believe me, i tired to google, yahoo, ask
jeeves on "icat" and got perfect rubbish. i was kinda of depressed cos
i bungled installation of linux 3x on my laptop and decided to "gave
up"