Loopinfility
Reputation: 33
Browse an ext4 filesystem and locate deleted files
List the deleted files and access the data of deleted files.
I'm trying to read the file system block by block, but it showing the partition size 0.
Here is my python code
import os
BLOCK_SIZE = 4096
DELETED_FILE_SIGNATURE = b'\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
def list_deleted_files(partition_path):
deleted_files = []
partition_size = os.stat(partition_path).st_size
with open(partition_path, 'rb') as f:
num_blocks = partition_size // BLOCK_SIZE
print(num_blocks)
for block_number in range(num_blocks):
block_data = f.read(BLOCK_SIZE)
if DELETED_FILE_SIGNATURE in block_data:
file_offset = block_data.index(DELETED_FILE_SIGNATURE)
path_start = block_data.rfind(b'\0', 0, file_offset) + 1
path_end = block_data.index(b'\0', file_offset)
path = block_data[path_start:path_end].decode('utf-8')
deleted_files.append(path)
return deleted_files
partition_path = '/dev/nvme0n1p6'
deleted_files = list_deleted_files(partition_path)
print(deleted_files)
Output showing that number blocks is 0.
How to read partition correctly ?
Another method
import os
partition_path = '/dev/nvme0n1p6'
for root, dirs, files in os.walk(partition_path):
for file in files:
file_path = os.path.join(root, file)
if os.path.islink(file_path) and not os.path.exists(file_path):
print(f"Deleted file found: {file_path}")
But it ended with 0 iterations of for loop
Upvotes: 0
Views: 326
Answers (1)
Corralien
Reputation: 120409
You should not use os.stat but os.statvfs.
>>> os.stat('/dev/dm-2')
os.stat_result(st_mode=25008, st_ino=432, st_dev=5, st_nlink=1, st_uid=0, st_gid=995,
st_size=0, st_atime=1679205488, st_mtime=1678984617, st_ctime=1678984617)
>>> os.statvfs('/dev/dm-2')
os.statvfs_result(f_bsize=4096, f_frsize=4096, f_blocks=4046122, f_bfree=4046122,
f_bavail=4046122, f_files=4046122, f_ffree=4045412, f_favail=4045412,
f_flag=4098, f_namemax=255)
You can use f_blocks and f_bsize to read the partition.
This is the same for command line:
[...]$ stat /dev/dm-2
File: /dev/dm-2
Size: 0 Blocks: 0 IO Block: 4096 block special file
Device: 0,5 Inode: 432 Links: 1 Device type: 254,2
Access: (0660/brw-rw----) Uid: ( 0/ root) Gid: ( 995/ disk)
Access: 2023-03-19 06:58:08.718548364 +0100
Modify: 2023-03-16 17:36:57.311148772 +0100
Change: 2023-03-16 17:36:57.311148772 +0100
Birth: 2023-03-16 17:36:53.131148947 +0100
[...]$ stat -f /dev/dm-2
File: "/dev/dm-2"
ID: 33d19ee4e765d8c4 Namelen: 255 Type: tmpfs
Block size: 4096 Fundamental block size: 4096
Blocks: Total: 4046122 Free: 4046122 Available: 4046122
Inodes: Total: 4046122 Free: 4045412
Upvotes: 0
Related Questions
- How to recursively find and list the latest modified files in a directory with subdirectories and times
- How can I recursively find all files in current and subfolders based on wildcard matching?
- how to load my own data or online dataset in python for training CNN or autoencoder?
- Problem in list specific files with python
- Find files by creation/modification date then moving to another dir in Python
- changing data in list on button press