linux 浏览ext4文件系统并定位已删除的文件

toiithl6  于 2023-03-22  发布在  Linux
关注(0)|答案(1)|浏览(145)

列出已删除的文件并访问已删除文件的数据。
我试图读取文件系统块的块,但它显示的分区大小为0。
下面是我的python代码

import os

BLOCK_SIZE = 4096  
DELETED_FILE_SIGNATURE = b'\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0' 
def list_deleted_files(partition_path):
    deleted_files = []

    partition_size = os.stat(partition_path).st_size

    with open(partition_path, 'rb') as f:

        num_blocks = partition_size // BLOCK_SIZE
        print(num_blocks)

        for block_number in range(num_blocks):
            block_data = f.read(BLOCK_SIZE)

            if DELETED_FILE_SIGNATURE in block_data:
                file_offset = block_data.index(DELETED_FILE_SIGNATURE)

                path_start = block_data.rfind(b'\0', 0, file_offset) + 1
                path_end = block_data.index(b'\0', file_offset)
                path = block_data[path_start:path_end].decode('utf-8')

                deleted_files.append(path)

    return deleted_files

partition_path = '/dev/nvme0n1p6'
deleted_files = list_deleted_files(partition_path)
print(deleted_files)

输出显示块数为0。
如何正确读取分区?
另一种方法

import os

partition_path = '/dev/nvme0n1p6'

for root, dirs, files in os.walk(partition_path):

for file in files:
    file_path = os.path.join(root, file)
    
    if os.path.islink(file_path) and not os.path.exists(file_path):
        print(f"Deleted file found: {file_path}")

但它以for循环的0次迭代结束

linux

1条答案

按热度按时间
bfrts1fy

bfrts1fy1#

不应该使用os.stat,而应该使用os.statvfs

>>> os.stat('/dev/dm-2')
os.stat_result(st_mode=25008, st_ino=432, st_dev=5, st_nlink=1, st_uid=0, st_gid=995,
               st_size=0, st_atime=1679205488, st_mtime=1678984617, st_ctime=1678984617)

>>> os.statvfs('/dev/dm-2')
os.statvfs_result(f_bsize=4096, f_frsize=4096, f_blocks=4046122, f_bfree=4046122,
                  f_bavail=4046122, f_files=4046122, f_ffree=4045412, f_favail=4045412,
                  f_flag=4098, f_namemax=255)

您可以使用f_blocksf_bsize读取分区。
这与命令行相同:

[...]$ stat /dev/dm-2
  File: /dev/dm-2
  Size: 0           Blocks: 0          IO Block: 4096   block special file
Device: 0,5 Inode: 432         Links: 1     Device type: 254,2
Access: (0660/brw-rw----)  Uid: (    0/    root)   Gid: (  995/    disk)
Access: 2023-03-19 06:58:08.718548364 +0100
Modify: 2023-03-16 17:36:57.311148772 +0100
Change: 2023-03-16 17:36:57.311148772 +0100
 Birth: 2023-03-16 17:36:53.131148947 +0100

[...]$ stat -f /dev/dm-2
  File: "/dev/dm-2"
    ID: 33d19ee4e765d8c4 Namelen: 255     Type: tmpfs
Block size: 4096       Fundamental block size: 4096
Blocks: Total: 4046122    Free: 4046122    Available: 4046122
Inodes: Total: 4046122    Free: 4045412
赞(0)分享  回复(0)举报  2023-03-22
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com