xfs
[Top] [All Lists]

low-level XFS drive recovery

To: "'linux-xfs@xxxxxxxxxxx'" <linux-xfs@xxxxxxxxxxx>
Subject: low-level XFS drive recovery
From: Adam Milazzo <adam@xxxxxxxxxxxx>
Date: Tue, 23 Apr 2002 12:36:40 -0700
Sender: owner-linux-xfs@xxxxxxxxxxx
In a bout of impatient, early-morning foolishness, while trying to quickly
"format" /dev/hda1 (mounted under /mnt), I did an 'rm -rf /*' from a
chroot'd shell, but didn't realize until I pressed Enter, that I had
/dev/hdb1 mounted. However, it was too late, as the second drive was nearly
instantly wiped clean, taking with it all my important stuff! So I went to
bed.

I learned a few lessons, like making better use of 'mount -o ro'. However,
the damage was already done and I am trying to restore the data on that
drive. I know that the XFS FAQ claims that there's no way to undelete, and
that's understandable. However, I might be in luck in this case. The drive
was freshly formatted and had a number of large files copied to it from
another drive, and no writing/deleting was done after that point (except
when it was deleted by rm -rf). Also, no writing has been done since the
deletion. My hope is that the files are [still] in contiguous blocks on the
disk.

My first question is: How likely is it that after writing some (rather
large, 100 meg average, but up to 700 meg) files to a freshly formatted XFS
partition, that they would be in contiguous blocks?

Second: after the rm -rf /* recursed into that drive's mount point and did
it's dirty work, is there anything left of the directory structure? Or was
that all wiped out?

I dumped the first 8 gigs of the drive to a file on another drive, and am
writing a program to scan that dump file and attempt to pull out anything
that looks like a data file (basically by scanning for valid file headers).
However, it's slow work, and is almost useless if the files are not stored
in a single contiguous blocks (hence my first question). Also, if there's
anything left of the directory structure that I could use to find where
files begin and the filename, that would be very helpful.

Perhaps it's relatively trivial to restore the entire drive just by
rebuilding the directory structure, given the special circumstances of my
situation. Or perhaps the entire thing would be extremely difficult because
the files are broken up.

So, if anybody could provide some information that would be helpful, and/or
point me to some good information on the low-level details of the filesystem
structure that might be useful in aiding my recovery of the data (or giving
me enough information that I can deem it pointless without going through all
the work), it would be greatly appreciated.

Also, does anybody know of a good hex editor (or sector editor)? I'm looking
for the following features (In decreasing order of importance):
* Fast searching of text and binary data
* Ability to open huge files (>2gb)
* A display of the word, dword, and maybe quadword value that begins at the
byte under the cursor.
* Ability to select a chunk of data and save it to a disk (directly, or in a
round-about way)
* A built-in calculator?

curses-based would be okay, but something for gnome/X would be nice.

Thanks a lot in advance!
Adam M.


<Prev in Thread] Current Thread [Next in Thread>