[Nottingham] Forensics problem (XFS)

Martin martin at ml1.co.uk
Tue Sep 14 23:47:23 UTC 2010


On 14/09/10 20:07, Paul Tew wrote:
> On Tue, 2010-09-14 at 17:13 +0100, Martin wrote:
> 
>> A quick search gives:
>>
>> http://xfs.org/index.php/XFS_FAQ#Q:_Does_the_filesystem_have_an_undelete_capability.3F
> 
> Don't you just hate it when someone finds something with a 'quick
> search' and you've been looking for a week.

It's getting to be quite scary just how dependant we are all getting to
be on Google...

Perhaps I should run a talk on how to navigate the web?...

We could have another talk just on Google!


[---]
> My experience tells me that you get loads more files from unallocated
> space than you ever do from a simple undelete function (and especially
> so with Linux inode based file systems)
> 
>> Otherwise, you'll need to look at the code to start walking along the
>> XFS B+Tree that lists all unallocated space.
>>
>> I wonder if you could subvert the XFS routine that keeps track of free
>> space...?
> 
> This is pretty much what I am wanting... My problem is that although I'm
> fairy useful programming in C, I am pretty slow. ...

Mmmm... Anyone on the list? (I'm bashing away at a few other problems at
the moment...)


>> There must be some debug utility for checking/doing that...
> 
> and it's name is?

That's where this maillist hopefully magics up the magic answer!


Interesting that NAS boxes are using XFS. So far, my daily use of
filesystems are Reiserfs 3.6, ext2, ext3, ext4 and vfat. Also NTFS when
I'm Windows fixing...

Waiting for btrfs to settle a little more before using that.

Still musing over distributed filesystems. I've used drbd. However,
Google's idea of using replication at the *application* layer looks to
be a better dedicated way to go. Meanwhile, rsync and nfs works well!


>> Also, this any good?
>>
>> XFS Filesystem Structure
>> http://oss.sgi.com/projects/xfs/papers/xfs_filesystem_structure.pdf
> 
> I've downloaded this and have been reading it in my leisure time (how
> sad is that?). ...

Is that more an indicator of someone who considers his job worthwhile?

I certainly don't have your patience to manually sift through the data!
Or to wait for the progress bars for collecting the fragments...


Anyone for munging the XFS free space code?

Good luck,

Cheers,
Martin

-- 
----------------
Martin Lomas
martin at ml1.co.uk
----------------



More information about the Nottingham mailing list