0

I am searching for a way to get all the metadata of the linux file system (ext2/3/4). The task is to find all the files (deleted/or not deleted) present on the linux partition. The metadata of the files should include creation time , modification time etc. (basically what you get from the command istat)

The problem i am facing is regarding the deleted files. I cannot find a way to get the inode of the deleted files currently present on the file system. Kindly suggest a way to solve this issue for the above mentioned file systems.

Thanks in advance.

user3294786
  • 177
  • 2
  • 10

1 Answers1

1

You may find The Coroner's Toolkit to be quite useful. It includes tools to allow you to view any element of the metadata, directly view inodes, dump out all of the disk sectors that an inode references, dump disk sectors directly, etc. Since you are working with the inodes and sectors directly, it does not matter if they are deleted or not, they are all accessible.

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
  • i am unable to install the above mentioned toolkit. When i run the make command it just says "Ok, trying to find perl5 now... hang on a bit..." and nothing happens. Any Suggestions. – user3294786 May 26 '15 at 16:11
  • Verify that Perl5 is installed... And see if there's a `./configure` script. – David Hoelzer May 26 '15 at 16:48