Shujian Yang has written a tool called btrForensics, which can be used for performing Btrfs forensic analysis. Currently the tool has the following capability:
- Browse nodes derived from root tree and print information.
- Browse nodes in filesystem tree and print information.
- List all files in default filesystem tree.
- Explore files and subdirectories in default root directory.
- Switch to a subvolume or snapshot and explore files within.
- Read a file from image and save to current directory.
Check Shujian’s GitHub to learn more about the tool.