On an ext3 (or ext2/4, pick your flavor) filesystem, how would one extract raw byte data that corresponds to a particular inode directly from the hard drive?
Is it possible given, say, an inode number to determine its location on disk (perhaps as an offset from the start of the partition, or some other LBA offset) and then use some utility such as dd or a system call (something like lseek except operating on the filesystem?) to read that data without having to reference it as a file?
I'm assuming this can be done, perhaps with some sort of driver-level utility.
Best Answer
The
imapcommand in debugfs can tell you where an inode is. Example:To get a raw dump of inode 128901, you'd seek to byte
524344*block_size + 0x0400and readinode_sizebytes. You can get the sizes with thestatscommand indebugfs, or the separate utilitydumpe2fs.statsordumpe2fswill also give you a complete listing of all the inode storage areas so you can build your own function that performs the equivalent ofimapwithout actually callingdebugfsevery time (or running it interactively). Just remember when you do your calculation there is no inode zero. inode 1 starts at byte 0 of the first block of inodes.If you want to do this in a C program without external programs then you should look at the
libext2library, which is used by all the standard ext2 utilities. I haven't used it myself but I suspect with the libext2 documentation plus the source code of debugfs to use as inspiration, you can write your ownimap-like function pretty easily.... and here's where it occurred to me that maybe you didn't literally mean you wanted the raw data of the inode. Maybe you want the contents of the file that the inode describes. In that case it's even easier.
debugfshas a built-in command for that:prints the contents of the file whose inode number is 128901.