[Top] [All Lists]

UPDATE: low-level XFS drive recovery

To: "'linux-xfs@xxxxxxxxxxx'" <linux-xfs@xxxxxxxxxxx>
Subject: UPDATE: low-level XFS drive recovery
From: Adam Milazzo <adam@xxxxxxxxxxxx>
Date: Tue, 23 Apr 2002 20:45:51 -0700
Sender: owner-linux-xfs@xxxxxxxxxxx
After running xfs_repair -n, I get some stuff that looks like this:
entry "backup" in directory inode 128 points to free inode 12583040, would
junk entry
entry "desktop" in directory inode 128 points to free inode 16777344, would
junk entry
entry "t" in directory inode 128 points to free inode 33554240, would junk
...as well as others...
These are exactly the three directories I need to recover!!

However, from the look of the message, it seems like it's going to "junk"
the entry,
making it more difficult to recover.

I'm thinking that directory inode 128 is the root directory, and the inodes
are the directory inodes of those subdirectories. Is there a way (using
perhaps?) to get the inodes and/or extents of the files in those

Could I use this information to recover my files (note that there is
information regarding the situation in my original post, below)?

I'm trying to figure out how to use xfs_db to do this...

If anybody would be kind enough to give me a few instructions on this, or
point me to
some documentation about the format of the directory inodes (whatever I
would need to
get at the file extents), I would greatly appreciate it.

Thanks in advance,
Adam M.

-----Original Message-----
From: Adam Milazzo
To: 'linux-xfs@xxxxxxxxxxx'
Sent: 4/23/2002 12:36 PM
Subject: low-level XFS drive recovery

In a bout of impatient, early-morning foolishness, while trying to
quickly "format" /dev/hda1 (mounted under /mnt), I did an 'rm -rf /*'
from a chroot'd shell, but didn't realize until I pressed Enter, that I
had /dev/hdb1 mounted. However, it was too late, as the second drive was
nearly instantly wiped clean, taking with it all my important stuff! So
I went to bed.

I learned a few lessons, like making better use of 'mount -o ro'.
However, the damage was already done and I am trying to restore the data
on that drive. I know that the XFS FAQ claims that there's no way to
undelete, and that's understandable. However, I might be in luck in this
case. The drive was freshly formatted and had a number of large files
copied to it from another drive, and no writing/deleting was done after
that point (except when it was deleted by rm -rf). Also, no writing has
been done since the deletion. My hope is that the files are [still] in
contiguous blocks on the disk.

My first question is: How likely is it that after writing some (rather
large, 100 meg average, but up to 700 meg) files to a freshly formatted
XFS partition, that they would be in contiguous blocks?

Second: after the rm -rf /* recursed into that drive's mount point and
did it's dirty work, is there anything left of the directory structure?
Or was that all wiped out?

I dumped the first 8 gigs of the drive to a file on another drive, and
am writing a program to scan that dump file and attempt to pull out
anything that looks like a data file (basically by scanning for valid
file headers). However, it's slow work, and is almost useless if the
files are not stored in a single contiguous blocks (hence my first
question). Also, if there's anything left of the directory structure
that I could use to find where files begin and the filename, that would
be very helpful.

Perhaps it's relatively trivial to restore the entire drive just by
rebuilding the directory structure, given the special circumstances of
my situation. Or perhaps the entire thing would be extremely difficult
because the files are broken up.

So, if anybody could provide some information that would be helpful,
and/or point me to some good information on the low-level details of the
filesystem structure that might be useful in aiding my recovery of the
data (or giving me enough information that I can deem it pointless
without going through all the work), it would be greatly appreciated.

Also, does anybody know of a good hex editor (or sector editor)? I'm
looking for the following features (In decreasing order of importance):
* Fast searching of text and binary data
* Ability to open huge files (>2gb)
* A display of the word, dword, and maybe quadword value that begins at
the byte under the cursor.
* Ability to select a chunk of data and save it to a disk (directly, or
in a round-about way)
* A built-in calculator?

curses-based would be okay, but something for gnome/X would be nice.

Thanks a lot in advance!
Adam M.

<Prev in Thread] Current Thread [Next in Thread>