[Nottingham] Forensics problem (XFS)

Paul Tew binarybod at gmail.com
Tue Sep 14 19:07:50 UTC 2010 

On Tue, 2010-09-14 at 17:13 +0100, Martin wrote:

> A quick search gives:
> 
> http://xfs.org/index.php/XFS_FAQ#Q:_Does_the_filesystem_have_an_undelete_capability.3F

Don't you just hate it when someone finds something with a 'quick
search' and you've been looking for a week.

Incidentally I have been talking to a guy who produces a similar bit of
Windows kit -
http://www.cnwrecovery.com/

Both of these only walk the inodes and recover deleted files (or so it
seems), they don't address the issue of files that used to belong to an
inode but the inode has since been lost thus leaving the once active
file in limbo (and only recoverable by file carving a la 'foremost' or
'photorec'). Whilst recovering files complete with their file meta data
is a bonus, I would like to have the unallocated files too.

My experience tells me that you get loads more files from unallocated
space than you ever do from a simple undelete function (and especially
so with Linux inode based file systems)

> Otherwise, you'll need to look at the code to start walking along the
> XFS B+Tree that lists all unallocated space.
> 
> I wonder if you could subvert the XFS routine that keeps track of free
> space...?

This is pretty much what I am wanting... My problem is that although I'm
fairy useful programming in C, I am pretty slow. I have to balance the
usefulness of any tools I write with the fact that we have an 8 month
backlog. I was rather hoping that some *nix guru out there would be able
to show me a simple 10 character command line that would save all the
pain.

> There must be some debug utility for checking/doing that...

and it's name is?

> Also, this any good?
> 
> XFS Filesystem Structure
> http://oss.sgi.com/projects/xfs/papers/xfs_filesystem_structure.pdf

I've downloaded this and have been reading it in my leisure time (how
sad is that?). I should have mentioned this in my first post - sorry for
the omission.

Thanks for some really useful pointers though. I'll be especially
looking in to that XFS routine to track free space. I think that's where
the low hanging fruit might be.

Paul

More information about the Nottingham mailing list