用bmap显示Linux文件的扇区信息、碎片化信息、以及在文件中加入slack信息或自己的保密信息
什么是linux文件的slack:
linux文件系统是以块(CentOS默认为4096字节)为单位来分配硬盘空间的,所以当文件大小不是块大小的整数倍时,在文件的尾部就有空出来的空间可以使用,而不会影响文件系统完整性,这个空间就叫slack。当然如果该文件大小发生变化,则最后的slack也会变化。
bmap安装:
# tar -zxvf bmap-1.0.17.tar.gz
# make
make的时候会报错:
sgml2latex bmap.sgml
make: sgml2latex: Command not found
不用管它,是因为系统没有安装sgml2latex导致的,不影响使用。
bmap使用:
# bmap –doc help
bmap:1.0.17 (12/25/10) newt@scyld.com
Usage: bmap [OPTION]… []
use block-list knowledge to perform special operations on files
–doc VALUE
where VALUE is one of:
version display version and exit
help display options and exit
man generate man page and exit
sgml generate SGML invocation info
–mode VALUE
where VALUE is one of:
map list sector numbers
carve extract a copy from the raw device
slack display data in slack space
putslack place data into slack
wipeslack wipe slack,这个最好不用
checkslack test for slack (returns 0 if file has slack)
slackbytes print number of slack bytes available
wipe wipe the file from the raw device
frag display fragmentation information for the file
checkfrag test for fragmentation (returns 0 if file is fragmented)
–outfile write output to …
–label useless bogus option
–name useless bogus option
–verbose be verbose
–log-thresh logging threshold …
–target operate on …
bmap:1.0.17 (12/25/10) newt@scyld.com
Usage: bmap [OPTION]… []
use block-list knowledge to perform special operations on files
–doc VALUE
where VALUE is one of:
version display version and exit
help display options and exit
man generate man page and exit
sgml generate SGML invocation info
–mode VALUE
where VALUE is one of:
map list sector numbers
carve extract a copy from the raw device
slack display data in slack space
putslack place data into slack
wipeslack wipe slack,这个最好不用
checkslack test for slack (returns 0 if file has slack)
slackbytes print number of slack bytes available
wipe wipe the file from the raw device
frag display fragmentation information for the file
checkfrag test for fragmentation (returns 0 if file is fragmented)
–outfile write output to …
–label useless bogus option
–name useless bogus option
–verbose be verbose
–log-thresh logging threshold …
–target operate on …
显示文件是否有碎片:
# bmap –mode checkfrag XXXXX
显示文件碎片位置:
# bmap –mode frag XXXXX
# ./bmap –mode frag /data0/search/hdfs-filesystem/name/current/fsimage
/data0/search/hdfs-filesystem/name/current/fsimage fragmented between 773070872 and 773131815
/data0/search/hdfs-filesystem/name/current/fsimage fragmented between 773131832 and 773136039
显示文件所使用的扇区:
# bmap –mode map XXXXX
# ./bmap –mode map COPYING
235357120
235357121
235357122
235357123
235357120
235357121
235357122
235357123
从原始设备上读取文件的内容:
# bmap –mode carve XXXXX
显示文件的slack信息:
# bmap –mode slack XXXXX
# ./bmap –mode slack COPYING
getting from block 29419644 哪一个块有slack
file size was: 18008 文件大小
slack size: 2472 slack大小
block size: 4096 系统块大小
getting from block 29419644 哪一个块有slack
file size was: 18008 文件大小
slack size: 2472 slack大小
block size: 4096 系统块大小
往文件的slack里面写入内容:
# echo “aaabbbccc” | bmap –mode putslack XXXXX
# echo “aaabbbccc” | ./bmap –mode putslack COPYING
getting from block 29419644
file size was: 18008
slack size: 2472
block size: 4096
getting from block 29419644
file size was: 18008
slack size: 2472
block size: 4096
可以用slack检查写入的内容:
# ./bmap –mode slack COPYING
getting from block 29419644
file size was: 18008
slack size: 2472
block size: 4096
aaabbbccc 这里就是写入的内容。
getting from block 29419644
file size was: 18008
slack size: 2472
block size: 4096
aaabbbccc 这里就是写入的内容。
检查文件是否含有slack内容:
# bmap –mode checkslack XXXXX
# ./bmap –mode checkslack COPYING
COPYING has slack
COPYING has slack
检查文件有多少字节可以用于slack:
# bmap –mode slackbytes XXXXX
# ./bmap –mode slackbytes COPYING
2472
2472
清除slack内容:
# bmap –mode wipe XXXXX
可以用checkslack或slack检查内容是否已经清除。
# ./bmap –mode checkslack COPYING
COPYING does not have slack
COPYING does not have slack