In linux, given an offset into a raw disk device, is it possible to map back to an partition + inode?
For example, suppose I know that string "xyz" is contained at byte offset 1000000 on /dev/sda:
(e.g. xxd -l 100 -s 1000000 /dev/sda shows a dump that begins with "xyz")
1) How do I figure out which partition (if any) offset 1000000 is located in?(I imagine this is easy, but am including it for completeness)
2) Assuming the offset is located in a partition, how do I go about finding which inode it belongs to (or determine that it is part of free space) ? Presumably this is filesystem specific, in which case does any one know how to do this for ext4 and ext3?
Best Answer
I just had to do a similar thing, so I thought I'd share my solution.
You can see which partition a drive byte offset belongs to by checking the 'offset' and 'size' elements of the udisks --show-info output; e.g.
Subtract this offset from the disk offset to get the byte offset into the partition. So disk offset (10000000) in /dev/sda is partition offset (10000000 - 1048576) = 8951424 in /dev/sda1
You can find out how large blocks are in a partition using the following command:
Divide the partition byte offset by the block size to determine the block offset, in this case 8951424 / 4096 = 2185
Run the following command to find out what inode occupies that block:
then the following command to find out what the filename is for that inode:
There's a longer description of how this at http://www.randomnoun.com/wp/2013/09/12/determining-the-file-at-a-specific-vmdk-offset