环境
虚拟机CentOS 7,4GB TF卡
分区:fdisk /dev/sdc
格式化:mkfs.ext4 /dev/sdc1
查看分区信息
[wang@localhost ~]$ sudo fdisk -l /dev/sdc
磁盘 /dev/sdc:3965 MB, 3965190144 字节,7744512 个扇区
Units = 扇区 of 1 * 512 = 512 bytes
扇区大小(逻辑/物理):512 字节 / 512 字节
I/O 大小(最小/最佳):512 字节 / 512 字节
磁盘标签类型:dos
磁盘标识符:0x4d43b1b8
设备 Boot Start End Blocks Id System
/dev/sdc1 2048 7744511 3871232 83 Linux
(Blocks == 1024Byte)
Linux板子上面查看:
BusyBox v1.19.4 (2018-12-13 21:07:08 GMT-8) multi-call binary.
Linux板子上面:
Disk /dev/sde: 3965 MB, 3965190144 bytes
106 heads, 30 sectors/track, 2435 cylinders
Units = cylinders of 3180 * 512 = 1628160 bytes
Device Boot Start End Blocks Id System
/dev/sde1 1 2436 3871232 83 Linux
这样打印明显是错误的,具体怎么对应的??
虚拟机显示单位默认是sectors
-u[=<单位>] 显示单位:“cylinders”(柱面)或“sectors”(扇区,默认)
Linux板子显示单位默认是cylinders,加-u切换为sectors
-u Start and End are in sectors (instead of cylinders)
Disk /dev/sdd: 3965 MB, 3965190144 bytes
106 heads, 30 sectors/track, 2435 cylinders, total 7744512 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/sdd1 2048 7744511 3871232 83 Linux
定位base superblock
sudo dd if=/dev/sdc bs=512 skip=2048 | hexdump -C -n 2048 【物理偏移1MB】
[wang@localhost ~]$ sudo dd if=/dev/sdc bs=512 skip=2048 | hexdump -C -n 2048
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400 e0 b2 03 00 80 c4 0e 00 06 bd 00 00 40 3a 0e 00 |............@:..|
00000410 d5 b2 03 00 00 00 00 00 02 00 00 00 02 00 00 00 |................|
00000420 00 80 00 00 00 80 00 00 90 1f 00 00 00 00 00 00 |................|
00000430 77 d6 21 5c 00 00 ff ff [53 ef]01 00 01 00 00 00 |w.!\....S.......|
00000440 77 d6 21 5c 00 00 00 00 00 00 00 00 01 00 00 00 |w.!\............|
00000450 00 00 00 00 0b 00 00 00 00 01 00 00 3c 00 00 00 |............<...|
00000460 c2 02 00 00 7b 00 00 00 fd 5b 3c 7f c0 a0 41 8a |....{....[<...A.|
00000470 8a a1 fe 2c 6f 90 ef da 00 00 00 00 00 00 00 00 |...,o...........|
00000480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
ext4的superblock包含一个magic number : __le16 s_magic = 0xEF53
dumpe2fs打印信息
[wang@localhost ~]$ sudo dumpe2fs -h /dev/sdc1
Filesystem magic number: 0xEF53
Filesystem UUID: fd5b3c7f-c0a0-418a-8aa1-fe2c6f90efda
First block: 0
Block size: 4096
First inode: 11
Inode size: 256
Journal inode: 8
Default directory hash: half_md4
Directory Hash Seed: a4f8d7e7-ee8c-4c4d-b90d-45cc6336d573
Journal backup: inode blocks
Journal features: (none)
日志大小: 64M
Journal length: 16384
Journal sequence: 0x00000001
Journal start: 0
打印块组信息
Group 0: (Blocks 0-32767)
Checksum 0x2c75, unused inodes 8069
主 superblock at 0, Group descriptors at 1-1
保留的GDT块位于 2-473
Block bitmap at 474 (+474), Inode bitmap at 490 (+490)
Inode表位于 506-1010 (+506)
24176 free blocks, 8069 free inodes, 2 directories, 8069个未使用的inodes
可用块数: 8592-32767
可用inode数: 12-8080
可以看出inode号12-8080存储在506 block开始的地方
定位journal block 和inode table
已知该文件系统的block size是 4KB, Inode size 是256 Byte.
那么inode index 8 在inode table中的 offset 为 (8-1) x 256B = 0x700
使用如下命令dump出来, 截取0x700开始的256B内容:
[wang@localhost ~]$ sudo dd if=/dev/sdc1 bs=4096 skip=506 | hexdump -Cv -n 2048
00000700 80 81 00 00 00 00 00 04 77 d6 21 5c 77 d6 21 5c |........w.!\w.!\|
00000710 77 d6 21 5c 00 00 00 00 00 00 01 00 00 00 02 00 |w.!\............|
00000720 00 00 08 00 00 00 00 00 [0a f3]01 00 04 00 00 00 |................|
00000730 00 00 00 00 00 00 00 00 [00 40]00 00[00 80 06 00] |.........@......|
00000740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000780 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
magic word == f3 0a
block number == 40 00 x 4KB == 64MB
start block == 00 06 80 00 x 4KB == 425984 x 4KB == 0x68000000
打印日志文件内容:
sudo dd if=/dev/sdc1 bs=4096 skip=425984 | hexdump -Cv -n 2048
00000000 c0 3b 39 98 00 00 00 04 00 00 00 00 00 00 10 00 |.;9.............|
00000010 00 00 40 00 00 00 00 01 00 00 00 01 00 00 00 00 |..@.............|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 fd 5b 3c 7f c0 a0 41 8a 8a a1 fe 2c 6f 90 ef da |.[<...A....,o...|
00000040 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
magic word == c0 3b 39 98
block type == 00 00 00 04 == Journal superblock v2
定位文件内容位置
[wang@localhost ~]$ sudo mount -t ext4 /dev/sdc1 aa
/dev/sdc1 on /home/wang/aa type ext4 (rw,relatime,seclabel,data=ordered)
echo "hello world" > file1.txt
[wang@localhost aa]$ ls -lih
总用量 20K
12 -rw-rw-r--. 1 wang wang 12 12月 25 15:51 file1.txt
11 drwx------. 2 root root 16K 12月 25 15:04 lost+found
找到inode信息:
inode 12 在inode table中的 offset为 (12-1) x256B = 0xB00.
用下面的命令dump inode table并且截取0xB00位置的256B字节:
sudo dd if=/dev/sdc1 bs=4096 skip=506 | hexdump -Cv -n 4096
00000b00 b4 81 ea 03 0c 00 00 00 98 e1 21 5c 98 e1 21 5c |..........!\..!\|
00000b10 98 e1 21 5c 00 00 00 00 ea 03 01 00 08 00 00 00 |..!\............|
00000b20 00 00 08 00 01 00 00 00 0a f3 01 00 04 00 00 00 |................|
00000b30 00 00 00 00 00 00 00 00 01 00 00 00 da 81 00 00 |................|
00000b40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000b50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000b60 00 00 00 00 06 3d d2 eb 00 00 00 00 00 00 00 00 |.....=..........|
00000b70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
占用几个blcok == 0001 == 1个
文件数据块在 da 81 00 00 == 0x000081da == 33242
sudo dd if=/dev/sdc1 bs=4096 skip=33242 | hexdump -Cv -n 1024
[wang@localhost aa]$ sudo dd if=/dev/sdc1 bs=4096 skip=33242 | hexdump -Cv -n 1024
00000000 68 65 6c 6c 6f 20 77 6f 72 6c 64 0a 00 00 00 00 |hello world.....|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
定位文件名位置
[wang@localhost aa]$ ls -liha
总用量 32K
2 drwxrwxrwx. 3 root root 4.0K 12月 25 15:51 .
68569753 drwx------. 15 wang wang 4.0K 12月 25 15:50 ..
12 -rw-rw-r--. 1 wang wang 12 12月 25 15:51 file1.txt
11 drwx------. 2 root root 16K 12月 25 15:04 lost+found
找到inode信息:
inode 2 在inode table中的 offset为 (2-1) x256B = 0x100.
用下面的命令dump inode table并且截取0x100位置的256B字节:
sudo dd if=/dev/sdc1 bs=4096 skip=506 | hexdump -Cv -n 1024
00000100 ff 41 00 00 00 10 00 00 9e e1 21 5c 98 e1 21 5c |.A........!\..!\|
00000110 98 e1 21 5c 00 00 00 00 00 00 03 00 08 00 00 00 |..!\............|
00000120 00 00 08 00 01 00 00 00 0a f3 01 00 04 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 01 00 00 00 8a 21 00 00 |.............!..|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
文件数据块在 218a == 8586
sudo dd if=/dev/sdc1 bs=4096 skip=8586 | hexdump -Cv -n 1024
00000000 02 00 00 00 0c 00 01 02 2e 00 00 00 02 00 00 00 |................|
00000010 0c 00 02 02 2e 2e 00 00 0b 00 00 00 14 00 0a 02 |................|
00000020 6c 6f 73 74 2b 66 6f 75 6e 64 00 00 0c 00 00 00 |lost+found......|
00000030 d4 0f 09 01 66 69 6c 65 31 2e 74 78 74 00 00 00 |....file1.txt...|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
应该是每个目录下的文件名存在同一位置【是的】
软连接文件
[wang@localhost aa]$ ln -s file1.txt l_file1
[wang@localhost aa]$ ls -lih
总用量 20K
12 -rw-rw-r--. 1 wang wang 12 12月 25 15:51 file1.txt
13 lrwxrwxrwx. 1 wang wang 9 12月 25 16:42 l_file1 -> file1.txt
11 drwx----
链接文件名被添加:
[wang@localhost aa]$ sudo dd if=/dev/sdc1 bs=4096 skip=8586 | hexdump -Cv -n 1024
00000000 02 00 00 00 0c 00 01 02 2e 00 00 00 02 00 00 00 |................|
00000010 0c 00 02 02 2e 2e 00 00 0b 00 00 00 14 00 0a 02 |................|
00000020 6c 6f 73 74 2b 66 6f 75 6e 64 00 00 0c 00 00 00 |lost+found......|
00000030 14 00 09 01 66 69 6c 65 31 2e 74 78 74 00 00 00 |....file1.txt...|
00000040 0d 00 00 00 c0 0f 07 07 6c 5f 66 69 6c 65 31 00 |........l_file1.|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
找到inode信息:
inode 13 在inode table中的 offset为 (13-1) x256B = 0xC00.
用下面的命令dump inode table并且截取0xC00位置的256B字节:
sudo dd if=/dev/sdc1 bs=4096 skip=506 | hexdump -Cv -n 4096
00000c00 ff a1 ea 03 09 00 00 00 8a ed 21 5c 88 ed 21 5c |..........!\..!\|
00000c10 88 ed 21 5c 00 00 00 00 ea 03 01 00 00 00 00 00 |..!\............|
00000c20 00 00 00 00 01 00 00 00 66 69 6c 65 31 2e 74 78 |........file1.tx|
00000c30 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |t...............|
00000c40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000c50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000c60 00 00 00 00 09 3d d2 eb 00 00 00 00 00 00 00 00 |.....=..........|
00000c70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
怎么与实际文件对应呢??
删除文件后的文件系统分析
[wang@localhost aa]$ rm -rf file1.txt
[wang@localhost aa]$ ls -lih
总用量 16K
13 lrwxrwxrwx. 1 wang wang 9 12月 25 16:42 l_file1 -> file1.txt
11 drwx------. 2 root root 16K 12月 25 15:04 lost+found
文件删除操作,作为文件创建的反向操作, 大致的原理是找到文件的inode, 修改文件的inode, 释放inode(free inode number)和data block.
根目录的extent内容没有发生变化:
[wang@localhost aa]$ sudo dd if=/dev/sdc1 bs=4096 skip=8586 | hexdump -Cv -n 1024
00000000 02 00 00 00 0c 00 01 02 2e 00 00 00 02 00 00 00 |................|
00000010 0c 00 02 02 2e 2e 00 00 0b 00 00 00 28 00 0a 02 |............(...|
00000020 6c 6f 73 74 2b 66 6f 75 6e 64 00 00 0c 00 00 00 |lost+found......|
00000030 14 00 09 01 66 69 6c 65 31 2e 74 78 74 00 00 00 |....file1.txt...|
00000040 0d 00 00 00 c0 0f 07 07 6c 5f 66 69 6c 65 31 00 |........l_file1.|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
文件内容则依然存在,只是这个原先的extent占用的块已经被释放了:
[wang@localhost aa]$ sudo dd if=/dev/sdc1 bs=4096 skip=33242 | hexdump -Cv -n 1024
00000000 68 65 6c 6c 6f 20 77 6f 72 6c 64 0a 00 00 00 00 |hello world.....|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
file1.txt的indoe被回收,占用block个数和block地址被复位
[wang@localhost aa]$ sudo dd if=/dev/sdc1 bs=4096 skip=506 | hexdump -Cv -n 4096
00000b00 b4 81 ea 03 00 00 00 00 64 ed 21 5c f1 ef 21 5c |........d.!\..!\|
00000b10 f1 ef 21 5c f1 ef 21 5c ea 03 00 00 00 00 00 00 |..!\..!\........|
00000b20 00 00 08 00 01 00 00 00 0a f3 00 00 04 00 00 00 |................|
00000b30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000b40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000b50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000b60 00 00 00 00 06 3d d2 eb 00 00 00 00 00 00 00 00 |.....=..........|
00000b70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
也就是说,删除文件其实就是操作了对应文件的inode table,inoe和block被回收,数据却依然存在,所以速度会很快,删除文件后没有写动作恢复应该会比较容易;
扩展
8GB卡在虚拟机下:
[wang@localhost ~]$ sudo fdisk -l /dev/sdc
磁盘 /dev/sdc:8002 MB, 8002732032 字节,15630336 个扇区
Units = 扇区 of 1 * 512 = 512 bytes
扇区大小(逻辑/物理):512 字节 / 512 字节
I/O 大小(最小/最佳):512 字节 / 512 字节
磁盘标签类型:dos
磁盘标识符:0x00000000
设备 Boot Start End Blocks Id System
/dev/sdc1 62 15620279 7810109 83 Linux
查看ext4 magic 53 ef:
[wang@localhost ~]$ sudo dd if=/dev/sdc bs=512 skip=62 | hexdump -C -n 2048
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400 c0 74 07 00 0f cb 1d 00 5a 7d 01 00 6e c9 05 00 |.t......Z}..n...|
00000410 1d 72 07 00 00 00 00 00 02 00 00 00 02 00 00 00 |.r..............|
00000420 00 80 00 00 00 80 00 00 d0 1f 00 00 8e 16 22 5c |.............."\|
00000430 8e 16 22 5c 0a 00 ff ff 53 ef 01 00 01 00 00 00 |.."\....S.......|
00000440 de 3d 1a 5c 00 00 00 00 00 00 00 00 01 00 00 00 |.=.\............|
00000450 00 00 00 00 0b 00 00 00 00 01 00 00 3c 00 00 00 |............<...|
00000460 c6 02 00 00 6b 00 00 00 ec 96 53 8f d6 a5 42 6b |....k.....S...Bk|
00000470 a8 8d 0c 5f a5 a9 1e f6 00 00 00 00 00 00 00 00 |..._............|
00000480 00 00 00 00 00 00 00 00 2f 6d 6e 74 2f 73 64 61 |......../mnt/sda|
00000490 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |1...............|
000004a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
查看根目录文件:
[wang@localhost aa]$ ls -liha
总用量 40K
2 drwxr-xr-x. 6 root root 4.0K 12月 19 20:50 .
68569753 drwx------. 15 wang wang 4.0K 12月 25 15:50 ..
11 drwx------. 2 root root 16K 12月 19 20:47 lost+found
130305 drwxr-xr-x. 2 root root 4.0K 12月 25 09:30 temp
130306 drwxr-xr-x. 11 root root 4.0K 12月 19 20:51 video
260609 drwxr-xr-x. 3 root root 4.0K 12月 19 20:50 webroot
Group 0: (Blocks 0-32767)
主 superblock at 0, Group descriptors at 1-1
保留的GDT块位于 2-954
Block bitmap at 955 (+955), Inode bitmap at 971 (+971)
Inode表位于 987-1495 (+987)
6735 free blocks, 8133 free inodes, 2 directories
可用块数: 9137-10160, 11185-12287, 16384-17840, 20913-21936, 26033-27056, 31665-32767
可用inode数: 12-8144
找到inode信息:
inode 2 在inode table中的 offset为 (2-1) x256B = 0x100. 用下面的命令dump inode table并且截取0x100位置的256B字节:
sudo dd if=/dev/sdc1 bs=4096 skip=987 | hexdump -Cv -n 1024
00000100 ed 41 00 00 00 10 00 00 2f 17 22 5c 9c 3e 1a 5c |.A....../."\.>.\|
00000110 9c 3e 1a 5c 00 00 00 00 00 00 06 00 08 00 00 00 |.>.\............|
00000120 00 00 08 00 03 00 00 00 0a f3 01 00 04 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 01 00 00 00 ab 23 00 00 |.............#..|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
文件数据块在 23ab == 9131
sudo dd if=/dev/sdc1 bs=4096 skip=9131 | hexdump -Cv -n 1024
[wang@localhost aa]$ sudo dd if=/dev/sdc1 bs=4096 skip=9131 | hexdump -Cv -n 1024
00000000 02 00 00 00 0c 00 01 02 2e 00 00 00 02 00 00 00 |................|
00000010 0c 00 02 02 2e 2e 00 00 0b 00 00 00 14 00 0a 02 |................|
00000020 6c 6f 73 74 2b 66 6f 75 6e 64 00 00 01 fa 03 00 |lost+found......|
00000030 10 00 07 02 77 65 62 72 6f 6f 74 00 01 fd 01 00 |....webroot.....|
00000040 0c 00 04 02 74 65 6d 70 02 fd 01 00 b8 0f 05 02 |....temp........|
00000050 76 69 64 65 6f 00 00 00 00 00 00 00 00 00 00 00 |video...........|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
分区物理偏移:512 * 62 = 31744 = 31K
32G固态硬盘和TF卡,U盘都适用此方法,前提是ext4文件系统;机械硬盘待测试。