xfs
[Top] [All Lists]

Fwd: Need assistance on XFS undeleting files

To: xfs@xxxxxxxxxxx
Subject: Fwd: Need assistance on XFS undeleting files
From: James Shih <shija03@xxxxxxxxx>
Date: Tue, 6 Jul 2010 07:16:20 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=EAFlXkqVj+w0qkerlcDCQ7NykzXz7n0rNYV/6PXHnBY=; b=IiO6MCtzE9ehH27PqFHpsi3CzjnZpDLmjHYulMjuA4vempFqA582p4O41/hrasOmTB eaiWli634CZ/DTy0LH4a8l04PFRj2f7pXmD7LIVqTGGKHcXSF8JSpal2AEEgYE30ur1o Ivg2gSua5jOkXtbNhDUPFYQsmqS1BXi2mhb2s=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=t0BLMTUwo4DnIq4io0H/Qk1SjuWZXb9nkZdBkupC4m8OC7GRVyNG6cqXHO6PxW/2Eu 7T/FYLecbX7FRvxa44CYJttJ1vIQIe6bU5MoMKRyTE2V0LcRNwwFb5l7vNbmInAbe/HG tHkp9a7kSzvha3S7yZG9fFGXSy9NeRaibxv9I=
In-reply-to: <201007060807.24582.misiek@xxxxxxxxxx>
References: <AANLkTik59zx97OVNXSfk4Gbe5poVAIGgJiTJVlsJZIjL@xxxxxxxxxxxxxx> <201007060807.24582.misiek@xxxxxxxxxx>
Dear XFS developers,

   Recently we had the unfortunate event of having a large amount of
files deleted from an XFS network NAS (via NFS) where a removal of
files was performed (leaving intact) the files behind.  I've been
looking for forensic tools and, hopefully, tools that allow me to
recover the files (hopefully their filenames too).  Reading several
passages of different books and websites, I have found TCT (The
Cororer's Toolkit) and the Sleuthkit, but neither of them offer
support for XFS.

   I would like to know if the development team carries such tools -
tools that allow one to list the inodes of the XFS filesystem of
deleted files, and tools that allow one to cat (dump) the blocks from
a starting inode to all the following blocks until an indication that
the file is ended or a new indication of a new file appears. (these
tools would correspond to TCT's ils and pcat respectively).

   Perhaps, if not, could you point me out to any tools (commercial or
not) that can restore the files of the XFS filesystem - preferibly
with their filenames?  From the opensource perspective, I have looked
at photorec & testdisk (it does not support XFS), and the results were
files without filenames - the filenames are key since they are
generated though a hash for my application - without these it is
really hard to determine where they belong to.  Commercial restoring
tools like UFS Explorer (only seems to be able to restore without the
filename) and DiskDoctors XFS (it doesn't work with disk images)

   After doing a little test on a pen drive, trying to simulate the
real environment (several TBs in a RAID5 arrangement), I've noticed
that a "dd if=/my.img | strings | grep -i 'my_movie' ", returns the
movie filename several times - so another question I have is, what
does this filename represent, the fact that I have it on the
filesystem several times, stored as a string, is it an indication that
the file and its filename can be associated during a restoring
process?

   Any assistance is greatly appreciated,

   Best regards,

   James
---------- Forwarded message ----------
From: Arkadiusz Miskiewicz <misiek@xxxxxxxxxx>
Date: Tue, Jul 6, 2010 at 2:07 AM
Subject: Re: Need assistance on XFS undeleting files
To: James Shih <shija03@xxxxxxxxx>


On Tuesday 06 of July 2010, you wrote:
> Hello Mr. Miśkiewicz,
>
>   Sorry for soliciting to you in such a way, but I am simply trying to
> look for the proper contacts and direction that can help me in a
> computer crisis that has recently taken place under an XFS NAS.

Please ask on xfs@xxxxxxxxxxx which is dedicated xfs mailing list with xfs
developers reading it. Google for list archives, too.

>   Does XFS provide any type of tools to do file recovery?

I don't know such tools unfortunately, so this task will be really hard.

>   Thank you,
>
>   James Shih.


--
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/

<Prev in Thread] Current Thread [Next in Thread>