在终端中,我可以使用stat命令获取特定文件的inode:
>> stat /some/file.txt
41307547
但我无法弄清楚如何从中获取有关文件数据块的信息(如地址)。
答案 0 :(得分:0)
不确定是否有办法使用本机命令执行此操作,但我确实使用SleuthKit运气。一旦安装......
加载磁盘映像并获取包含实际文件的分区:
>> mls DiskImage.dd
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000000001 0000000002 Unallocated
002: 000:000 0000000002 0003913663 0003913662 Win95 FAT32 (0x0b)
数字0000000002是文件的偏移量。使用该偏移量,我们可以在必要时读取所有文件的列表及其inode值:
>> fls -o 2 DiskImage.dd
r/r 5: ._.Trashes
d/d * 6: _RASHE~1.NRV
d/d 8: .Trashes
d/d 10: .fseventsd
d/d 13: .Spotlight-V100
r/r 16: SomeFile.txt
最后,使用我们的分区偏移量和inode号,使用istat获取该文件的所有扇区列表:
>> istat -o 2 DiskImage.dd 16
Directory Entry: 16
Allocated
File Attributes: File, Archive
Size: 158184
Name: SomeFile.txt
Directory Entry Times:
Written: 2015-10-26 15:57:04 (EDT)
Accessed: 2015-11-01 00:00:00 (EDT)
Created: 2015-10-20 20:37:17 (EDT)
Sectors:
1282198 1282199 1282200 1282201 1282202 1282203 1282204 1282205
1282206 1282207 1282208 1282209 1282210 1282211 1282212 1282213
1282214 1282215 1282216 1282217 1282218 1282219 1282220 1282221
1282222 1282223 1282224 1282225 1282226 1282227 1282228 1282229
1282230 1282231 1282232 1282233 1282234 1282235 1282236 1282237
1282238 1282239 1282240 1282241 1282242 1282243 1282244 1282245
1282246 1282247 1282248 1282249 1282250 1282251 1282252 1282253
1282254 1282255 1282256 1282257 1282258 1282259 1282260 1282261
1282262 1282263 1282264 1282265 1282266 1282267 1282268 1282269
...