[Top] [All Lists]

Re: Hello, I have a question about XFS File System

To: Yongmin <dev.yongmin@xxxxxxxxx>, "xfs@xxxxxxxxxxx" <xfs@xxxxxxxxxxx>
Subject: Re: Hello, I have a question about XFS File System
From: Stan Hoeppner <stan@xxxxxxxxxxxxxxxxx>
Date: Fri, 07 Mar 2014 16:19:44 -0600
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <279D0A265E5D4AF5B099BFAD4E8B1700@xxxxxxxxx>
References: <195DE8C60CE24A62A71911FDE0B0DC97@xxxxxxxxx> <5318DB01.2040102@xxxxxxxxxxxxxxxxx> <279D0A265E5D4AF5B099BFAD4E8B1700@xxxxxxxxx>
Reply-to: stan@xxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
Please reply to the mailing list as well as the individual.

Note that you stated:

'...the concentrated part of mine is "Deleted File Recovery"'

On 3/6/2014 10:02 PM, Yongmin wrote:
> Yes! there are no actual file data in journaling part.
> BUT, by analyzing journaling part, we can get a Inode Core Information which 
> was deleted.
> In Inode Core, there are many information about the actual data, i.e. start 
> address, file length etc.

Analyzing the journal code may inform you about structures, but it won't
inform you about on disk locations of the structures and how to find
them.  If a file has been deleted, no information about that is going to
exist in the journal for more than a few seconds before the transaction
is committed and the entry removed from the journal.

> By using those information, Recovering delete file can be done.
> So the analysis of Journaling part is absolutely needed.  

I disagree.  Again, the journal log is unrelated to "deleted file
recovery" in a forensics scenario.

I think Dave and Jeff both missed the fact that you're interested only
in deleted file recovery, not in learning how the journal works for the
sake of learning how the journal works.

> =======================
>         from Yongmin Park  
> =======================
> On 2014ë 3ì 7ì Friday at ìì 5:30, Stan Hoeppner wrote:
>> On 3/6/2014 3:15 AM, Yongmin wrote:
>>> Hello.
>>> My name is Yongmin Park and I am a graduated student in Ajou
>>> University (Korea). My research area is Digital Forensics. And this
>>> time i tried to understand the structure of XFS file system, because
>>> XFS is one of the famous huge file system in these days.
>>> I already founded and read 'XFS Filesystem Structure 2nd Edition
>>> Revision 1' on the Internet, which was written by Silicon Graphics
>>> Inc in 2006 and it is really well written to understand.
>>> But the concentrated part of mine is "Deleted File Recovery", so the
>>> Journaling part is really important for me,, but regretfully there
>>> are no specific guide line about Journaling part... Also next
>>> version(maybe the 3re Edition) is not exsist for more than a 5
>>> years.
>>> So is there no guide line for journaling part in XFS? How can i get
>>> them,, have I to buy them? or Is Analysing Source Cord only way to
>>> study?
>> The journal only contains in flight transactional metadata for recovery
>> purposes after a system crash or power loss, to prevent filesystem, i.e.
>> metadata, corruption. The journal does not contain file data. During
>> normal operation, once the metadata has been written into an allocation
>> group the transactional entry in the journal is removed. Thus,
>> recovering deleted files has nothing to do with the journal.
>> This may be helpful:
>> http://xfs.org/index.php/XFS_FAQ#Q:_Does_the_filesystem_have_an_undelete_capability.3F


<Prev in Thread] Current Thread [Next in Thread>