[Top] [All Lists]

RE: Hello, I have a question about XFS File System

To: "stan@xxxxxxxxxxxxxxxxx" <stan@xxxxxxxxxxxxxxxxx>, Yongmin <dev.yongmin@xxxxxxxxx>, "xfs@xxxxxxxxxxx" <xfs@xxxxxxxxxxx>
Subject: RE: Hello, I have a question about XFS File System
From: Shaun Gosse <sgosse@xxxxxxx>
Date: Fri, 7 Mar 2014 22:40:31 +0000
Accept-language: en-US
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <531A4600.7050906@xxxxxxxxxxxxxxxxx>
References: <195DE8C60CE24A62A71911FDE0B0DC97@xxxxxxxxx> <5318DB01.2040102@xxxxxxxxxxxxxxxxx> <279D0A265E5D4AF5B099BFAD4E8B1700@xxxxxxxxx> <531A4600.7050906@xxxxxxxxxxxxxxxxx>
Thread-index: AQHPOlNXZ1hsCqPYc06xMvD7gOte95rWNVng
Thread-topic: Hello, I have a question about XFS File System

If I understand what you're saying here correctly, it sounds like there would 
still be a very tiny window where the journal could be relevant, those "few 
seconds" before it's committed as you said. So it would be a rather small 
corner case, but there might be some use. And I think it was already stated to 
be an academic project...

This does makes me curious in turn about how difficult it would be to recover 
journal entries. At a guess, if a person knows the structure and it hasn't been 
overwritten, it'll still be there? Or is it automatically overwritten/zero'd 
when the entry is removed from the journal, perhaps as the very mechanism of 
removal? And presumably this window, if any, would also be rather small 
assuming an active filesystem (and an inactive one presumably 
irrelevant...unless, perhaps, it was one where the last action, arbitrarily 
long ago, was a critical delete operation...).


-----Original Message-----
From: xfs-bounces@xxxxxxxxxxx [mailto:xfs-bounces@xxxxxxxxxxx] On Behalf Of 
Stan Hoeppner
Sent: Friday, March 07, 2014 4:20 PM
To: Yongmin; xfs@xxxxxxxxxxx
Subject: Re: Hello, I have a question about XFS File System

Please reply to the mailing list as well as the individual.

Note that you stated:

'...the concentrated part of mine is "Deleted File Recovery"'

On 3/6/2014 10:02 PM, Yongmin wrote:
> Yes! there are no actual file data in journaling part.
> BUT, by analyzing journaling part, we can get a Inode Core Information which 
> was deleted.
> In Inode Core, there are many information about the actual data, i.e. start 
> address, file length etc.

Analyzing the journal code may inform you about structures, but it won't inform 
you about on disk locations of the structures and how to find them.  If a file 
has been deleted, no information about that is going to exist in the journal 
for more than a few seconds before the transaction is committed and the entry 
removed from the journal.

> By using those information, Recovering delete file can be done.
> So the analysis of Journaling part is absolutely needed.  

I disagree.  Again, the journal log is unrelated to "deleted file recovery" in 
a forensics scenario.

I think Dave and Jeff both missed the fact that you're interested only in 
deleted file recovery, not in learning how the journal works for the sake of 
learning how the journal works.

> =======================
>         from Yongmin Park
> =======================
> On 2014ë 3ì 7ì Friday at ìì 5:30, Stan Hoeppner wrote:
>> On 3/6/2014 3:15 AM, Yongmin wrote:
>>> Hello.
>>> My name is Yongmin Park and I am a graduated student in Ajou 
>>> University (Korea). My research area is Digital Forensics. And this 
>>> time i tried to understand the structure of XFS file system, because 
>>> XFS is one of the famous huge file system in these days.
>>> I already founded and read 'XFS Filesystem Structure 2nd Edition 
>>> Revision 1' on the Internet, which was written by Silicon Graphics 
>>> Inc in 2006 and it is really well written to understand.
>>> But the concentrated part of mine is "Deleted File Recovery", so the 
>>> Journaling part is really important for me,, but regretfully there 
>>> are no specific guide line about Journaling part... Also next 
>>> version(maybe the 3re Edition) is not exsist for more than a 5 
>>> years.
>>> So is there no guide line for journaling part in XFS? How can i get 
>>> them,, have I to buy them? or Is Analysing Source Cord only way to 
>>> study?
>> The journal only contains in flight transactional metadata for 
>> recovery purposes after a system crash or power loss, to prevent filesystem, 
>> i.e.
>> metadata, corruption. The journal does not contain file data. During 
>> normal operation, once the metadata has been written into an 
>> allocation group the transactional entry in the journal is removed. 
>> Thus, recovering deleted files has nothing to do with the journal.
>> This may be helpful:
>> http://xfs.org/index.php/XFS_FAQ#Q:_Does_the_filesystem_have_an_undel
>> ete_capability.3F


xfs mailing list
<Prev in Thread] Current Thread [Next in Thread>