If I understand what you're saying here correctly, it sounds like there would
still be a very tiny window where the journal could be relevant, those "few
seconds" before it's committed as you said. So it would be a rather small
corner case, but there might be some use. And I think it was already stated to
be an academic project...
This does makes me curious in turn about how difficult it would be to recover
journal entries. At a guess, if a person knows the structure and it hasn't been
overwritten, it'll still be there? Or is it automatically overwritten/zero'd
when the entry is removed from the journal, perhaps as the very mechanism of
removal? And presumably this window, if any, would also be rather small
assuming an active filesystem (and an inactive one presumably
irrelevant...unless, perhaps, it was one where the last action, arbitrarily
long ago, was a critical delete operation...).
From: xfs-bounces@xxxxxxxxxxx [mailto:xfs-bounces@xxxxxxxxxxx] On Behalf Of
Sent: Friday, March 07, 2014 4:20 PM
To: Yongmin; xfs@xxxxxxxxxxx
Subject: Re: Hello, I have a question about XFS File System
Please reply to the mailing list as well as the individual.
Note that you stated:
'...the concentrated part of mine is "Deleted File Recovery"'
On 3/6/2014 10:02 PM, Yongmin wrote:
> Yes! there are no actual file data in journaling part.
> BUT, by analyzing journaling part, we can get a Inode Core Information which
> was deleted.
> In Inode Core, there are many information about the actual data, i.e. start
> address, file length etc.
Analyzing the journal code may inform you about structures, but it won't inform
you about on disk locations of the structures and how to find them. If a file
has been deleted, no information about that is going to exist in the journal
for more than a few seconds before the transaction is committed and the entry
removed from the journal.
> By using those information, Recovering delete file can be done.
> So the analysis of Journaling part is absolutely needed.
I disagree. Again, the journal log is unrelated to "deleted file recovery" in
a forensics scenario.
I think Dave and Jeff both missed the fact that you're interested only in
deleted file recovery, not in learning how the journal works for the sake of
learning how the journal works.
> from Yongmin Park
> On 2014ë 3ì 7ì Friday at ìì 5:30, Stan Hoeppner wrote:
>> On 3/6/2014 3:15 AM, Yongmin wrote:
>>> My name is Yongmin Park and I am a graduated student in Ajou
>>> University (Korea). My research area is Digital Forensics. And this
>>> time i tried to understand the structure of XFS file system, because
>>> XFS is one of the famous huge file system in these days.
>>> I already founded and read 'XFS Filesystem Structure 2nd Edition
>>> Revision 1' on the Internet, which was written by Silicon Graphics
>>> Inc in 2006 and it is really well written to understand.
>>> But the concentrated part of mine is "Deleted File Recovery", so the
>>> Journaling part is really important for me,, but regretfully there
>>> are no specific guide line about Journaling part... Also next
>>> version(maybe the 3re Edition) is not exsist for more than a 5
>>> So is there no guide line for journaling part in XFS? How can i get
>>> them,, have I to buy them? or Is Analysing Source Cord only way to
>> The journal only contains in flight transactional metadata for
>> recovery purposes after a system crash or power loss, to prevent filesystem,
>> metadata, corruption. The journal does not contain file data. During
>> normal operation, once the metadata has been written into an
>> allocation group the transactional entry in the journal is removed.
>> Thus, recovering deleted files has nothing to do with the journal.
>> This may be helpful:
xfs mailing list