3

Let's say I have an unmounted block device /dev/sda, and I want to replace all instances of MyPassWord with XXXXXXXXXX. (Hopefully my goal is obvious.)

What's the easiest way to do this?

Improve this question
12
  • 1
    If you are going to replace on the block level I would make sure that the patterns are of equal length (now it is 10 resp. 12 characters). Whatever technique you are going to use. Commented Jan 21, 2015 at 16:13
  • 1
    How big is the block device? "Easiest" could be to copy it to a file on another block device and then use 'sed'. But it would be very slow. Most efficient way would be to write a quick C program, but writing C isn't everyone's idea of easy. Commented Jan 21, 2015 at 16:21
  • 4
    Also keep in mind that if your password is split between two blocks of a file, those blocks might not be adjacent on the disk. So you might not find all occurrences. Commented Jan 21, 2015 at 16:22
  • @Anthon: Oops, yes I meant to assume that, I counted my X's wrong. Commented Jan 21, 2015 at 16:24
  • 1
    @Anthon I think you misunderstood me; the filesystem is not guaranteed to put two adjacent file chunks on adjacent device blocks. So its possible to have a file still containing the password even if the complete string doesn't exist anywhere on the block device. Commented Jan 21, 2015 at 21:07

1 Answer 1

Reset to default
2

You can do something like:

#! /usr/bin/env python

device = '/dev/sdi'
old_pattern = "MyPassWord"
new_pattern = "XXXXXXXXXX"

assert len (old_pattern) == len(new_pattern)

BS = 1024 ** 2  # 1 Mb buffer
# read a few bytes more to account for occurences of the pattern on the edge
READSIZE = BS + len(old_pattern)

offset = 0
with open(device, 'r+b') as fp:
    assert isinstance(fp, file)
    while True:
        try:
            fp.seek(offset)
        except IOError:
            #print 'offset', offset
            #raise
            break
        buf = fp.read(READSIZE)
        occurences = buf.count(old_pattern)
        if occurences:
            print offset, occurences
            fp.seek(offset)
            fp.write(buf.replace(old_pattern, new_pattern))
            fp.flush()
        offset += BS

substituting the appropriate device name at the top.

You have to run the script as root and make sure you re-mount the device when finished as the system buffers of file contents are not notified of the changes.

Improve this answer
3
  • Hmm...I think this will fail to find MyPassWord if it falls any 1Mb boundary. +1 though Commented Jan 21, 2015 at 20:08
  • 1
    @notfed No it won't. I read (and write if applicable) READSIZE which is len(old_pattern) longer than BS, but I step by BS. The next read reloads a few bytes of the previous process Commented Jan 21, 2015 at 20:20
  • 1
    @notfed There is still the problem, as dataless correctly pointed out (and for which I needed extra clarification) that if MyPassWord is in a file and the blocks that hold the date of that file are not next to each other in the file, then this won't work. In that case you would need to scan each and every file through the filesystem, and do the same for deleted file that might be recovered (e.g. with extundelete) Commented Jan 21, 2015 at 21:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.