#!/usr/bin/perl
#
# idcat -- dump block contents (or just the block addresses if -a option set) 
#          of blocks referenced in an indirect block
#
# Requires dcat utility from The Sleuthkit (www.sleuthkit.org)
# Be sure to set $DCAT variable below to the appropriate path name...
#
# NOTE: Assumes little-endian byte order by default.  If you're using
# this ona big-endian machine, use the -B option.
#
# Hal Pomeranz (hal@deer-run.com), 12/8/2008
#

use strict;
use vars qw($opt_a $opt_B);
use Getopt::Std;

my $DCAT = '/usr/bin/dcat';

sub usage { die "Usage: $0 [-a] [-B] device block\n"; }

getopts('aB') || usage();
my $show_addrs = $opt_a;
my $big_endian = $opt_B;
my $device = shift(@ARGV);
my $block = shift(@ARGV);
usage() unless ($block);


open(DCAT, "$DCAT -h $device $block |") ||
    die "Failed to run '$DCAT -h $device $block': $!\n";

ADDR: while (<DCAT>) {
    my @addrs = (split(' '))[1,2,3,4];
    for (@addrs) {
	s/(\w\w)(\w\w)(\w\w)(\w\w)/$4$3$2$1/ unless ($big_endian);
	my $val = hex();
	unless ($val) {
	    print "\n" if ($show_addrs);
	    last ADDR;
	}
	if ($show_addrs) {
	    print "$val ";
	}
	else { system("$DCAT $device $val"); }
    }
    print "\n" if ($show_addrs && !($. % 2));
}

close(DCAT);