以/var/log/dmesg为例:
1. 找到该文件所在的磁盘分区
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 50G 8.0G 39G 18% /
2 找到该文件在ext4文件系统里block号的地址区间, 属于block 4235796~4235820, 注意这里的单位是block, 默认ext4的block是4KB, 即8个扇区(512byte)
filefrag -v /var/log/dmesg
Filesystem type is: ef53
File size of /var/log/dmesg is 100351 (25 blocks of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 24: 4235796.. 4235820: 25: eof
/var/log/dmesg: 1 extent found
3 找到分区/dev/sda3的起始LBA地址. 如图1-9所示: 2105344, 注意这里单位是扇区(512byte)
sudo parted /dev/sda
GNU Parted 3.3
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) unit s
(parted) p
Model: ATA Intel SSDSC2BB24 (scsi)
Disk /dev/sda: 468862128s
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Flags
1 2048s 8191s 6144s bios_grab
2 8192s 2105343s 2097152s ext4 boot
3 2105344s 106962943s 104857600s ext4
文件LBA地址 = (block号 * 8) + /dev/sda3的起始LBA
= 4235796*8 + 2105344s = 35991712
4 读出裸数据, 注意要将LBA转为byte(乘以512即可)
35991712 * 512 = 18427756544
5 直接读取文件和裸设备, 对比输出
用od读取文件头部
od -A x -t x1z -v -N 128 dmesg
用od读取裸设备偏移量
od -A x -t x1z -v -N 128 -j 18427756544 /dev/sda