Created
July 29, 2016 06:01
-
-
Save eugeneai/94726506cd9b635bbae8715c164a9b61 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import os | |
import binascii as ba | |
EXCEPT=( | |
".vault", | |
".exe", | |
".doc", | |
".xls", | |
".dll", | |
# ".vault", | |
# ".vault", | |
# ".vault", | |
) | |
DEV="/dev/sda2" | |
TIMES=10 | |
PATTERNS=("d0cf11e0a1b1a1e1",) | |
#PATTERNS=("d0",) | |
PREFIXES=[ba.unhexlify(pt) for pt in PATTERNS] | |
#PREFIX=ba.unhexlify("00000000") | |
def scan_reader(file, start_blk, blk_size, blocks, count=None): | |
file.seek(start_blk*blk_size) | |
queue=[] | |
num=start_blk | |
while True: | |
if count == 0: | |
break | |
if len(queue)==0: | |
buffer=file.read(blk_size*blocks) | |
cnt=len(buffer) | |
if cnt==0: | |
break | |
cblk=int(cnt//blk_size) | |
for c in range(cblk): | |
queue.append(buffer[c*blk_size:(c+1)*blk_size]) | |
else: | |
yield num, queue.pop(0) | |
num+=1 | |
if count !=None: | |
count-=1 | |
def scan_hdd(dev): | |
# blk_size=16384 # default block size | |
blk_size=512 # 4096 # default block size | |
input = open(dev, "rb") | |
input.seek(0, os.SEEK_END) | |
size=input.tell() | |
print (size) | |
blocks = size / blk_size | |
print ("Total blocks: ", size) | |
blocks = int(blocks) | |
print ("Total blocks: ", blocks) | |
msteps=10000 | |
step=0 | |
maxsteps=100 | |
start_blk=2379762 | |
for num, block in scan_reader(input, start_blk=start_blk, blk_size=blk_size, blocks=100, count=None): | |
if step % msteps == 0: | |
print ("Block {} of {} = {:.5%}.".format(num, blocks, num/blocks), | |
end="\r") | |
step = msteps-1 | |
maxsteps-=msteps | |
for PREF in PREFIXES: | |
if block.startswith(PREF): | |
print ("\n>> Found at {} block {}".format(num*blk_size, num)) | |
print ("#"+':'.join(hex(x) for x in block[:10]).replace("0x","")) | |
step-=1 | |
print("End") | |
def undel_ntfs(): | |
START_FROM="f_003e50" # inode 158054 | |
i=open("undelete-sda2.list") | |
i.readline() | |
i.readline() | |
proceed=True | |
for l in i: | |
l=l.strip() | |
if not proceed: | |
if not l.endswith(START_FROM): | |
continue | |
else: | |
proceed=True | |
stop=False | |
for E in EXCEPT: | |
if l.endswith(E): | |
stop=True | |
break | |
if stop: | |
continue | |
try: | |
inode,flags,percent,date,time,size,name=l.split(maxsplit=6) | |
except ValueError: | |
print ("Unpack:",l) | |
continue | |
print (l) | |
ind=False | |
if name=="<none>": | |
name="inode_"+inode | |
ind=True | |
if flags.startswith('F'): | |
if ind: | |
rc=os.system("ntfsundelete -u -i %s-%s -o '%s' %s" % (inode,inode,name,DEV)) | |
else: | |
rc=os.system("ntfsundelete -u -m '%s' -o '%s' %s" % (name,name,DEV)) | |
else: | |
print ('skip dir %s' % name) | |
continue | |
if rc!=0: | |
continue | |
f=open(name,'rb') | |
cb=f.read(1024) | |
for pri, pr in enumerate(PREFIXES): | |
if cb.startswith(pr): | |
os.system("mv '%s' '%s-%s'" % (name,PATTERNS[pri],name)) | |
print ("!!!") | |
break | |
else: | |
os.system("rm -f '%s'" % name) | |
# TIMES-=1 | |
# if TIMES==0: | |
# break | |
if __name__=="__main__": | |
scan_hdd("/dev/sdb") | |
quit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment