[Nottingham] Forensics problem (XFS)
Martin
martin at ml1.co.uk
Tue Sep 14 16:13:48 UTC 2010
On 14/09/10 14:55, Paul Tew wrote:
[---]
> I recently took possession of a Buffalo LinkStation which serves files
> to an attached network via samba. The issue I have is that these files
> are stored on an XFS partition...
[---]
> My problem is that I need to look at those parts of the drive that
> DON'T form regular files so that I can search for deleted and
> unallocated files and carve them out. Ideally I would like to extract
> all the data from sectors that aren't allocated to files. I would
[---]
A quick search gives:
http://xfs.org/index.php/XFS_FAQ#Q:_Does_the_filesystem_have_an_undelete_capability.3F
Otherwise, you'll need to look at the code to start walking along the
XFS B+Tree that lists all unallocated space.
I wonder if you could subvert the XFS routine that keeps track of free
space...?
There must be some debug utility for checking/doing that...
Also, this any good?
XFS Filesystem Structure
http://oss.sgi.com/projects/xfs/papers/xfs_filesystem_structure.pdf
Good luck,
Martin
--
----------------
Martin Lomas
martin at ml1.co.uk
----------------
More information about the Nottingham
mailing list