[Top] [All Lists]

Re: Hello, I have a question about XFS File System

To: Dave Chinner <david@xxxxxxxxxxxxx>
Subject: Re: Hello, I have a question about XFS File System
From: Greg Freemyer <greg.freemyer@xxxxxxxxx>
Date: Fri, 7 Mar 2014 19:38:15 -0500
Cc: Stan Hoeppner <stan@xxxxxxxxxxxxxxxxx>, Yongmin <dev.yongmin@xxxxxxxxx>, "xfs@xxxxxxxxxxx" <xfs@xxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=jFawsfL3lanTqude/7D6VKdwEatKj33tyVvZGmDkAMw=; b=p+Njc6VDYlmzSZqnHmSfMSmhSR17cAF4nmjinUQl2QCwFl/d7wKRgPiKw9kEw5ERHp sohZGG0oLBXW5DRMdIHymeRDWlBfUYkYkYzV6pVCDYr5tlDQYlYP1QSxfKXCa+AhmFYg 7fWIbyQynxPb0ZtUuMNtztxio3DDnEeNTIg69lYeStLTinvr59Y41UvaADCyS31hZbBm x7+h+NKFw8ylJPtk03dDLhVOoxDzK42JEkNr5festlsqhsULl/KWevMciNFjxtRF51JX FcDf7usNEBmt142jN/OoLccPsj4BnDFZytr0aGE1Piwj0P5obSNKvxAQaOZRiD/VGG+C qU+g==
In-reply-to: <20140307230915.GS6851@dastard>
References: <195DE8C60CE24A62A71911FDE0B0DC97@xxxxxxxxx> <5318DB01.2040102@xxxxxxxxxxxxxxxxx> <279D0A265E5D4AF5B099BFAD4E8B1700@xxxxxxxxx> <531A4600.7050906@xxxxxxxxxxxxxxxxx> <20140307230915.GS6851@dastard>
On Fri, Mar 7, 2014 at 6:09 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote:
> On Fri, Mar 07, 2014 at 04:19:44PM -0600, Stan Hoeppner wrote:
>> Please reply to the mailing list as well as the individual.
>> Note that you stated:
>> '...the concentrated part of mine is "Deleted File Recovery"'
>> On 3/6/2014 10:02 PM, Yongmin wrote:
>> >
>> > Yes! there are no actual file data in journaling part.
>> >
>> > BUT, by analyzing journaling part, we can get a Inode Core Information 
>> > which was deleted.
>> > In Inode Core, there are many information about the actual data, i.e. 
>> > start address, file length etc.
>> Analyzing the journal code may inform you about structures, but it won't
>> inform you about on disk locations of the structures and how to find
>> them.  If a file has been deleted, no information about that is going to
>> exist in the journal for more than a few seconds before the transaction
>> is committed and the entry removed from the journal.
> Well, we don't actually "remove" information from the log. We update
> pointers that indicate what the active region is, but we never
> physically "remove" anything from it. IOWs, the information is in
> the journal until it wraps around and is over written by new
> checkpoints....
>> > By using those information, Recovering delete file can be done.
>> >
>> > So the analysis of Journaling part is absolutely needed.
>> I disagree.  Again, the journal log is unrelated to "deleted file
>> recovery" in a forensics scenario.
>> I think Dave and Jeff both missed the fact that you're interested only
>> in deleted file recovery, not in learning how the journal works for the
>> sake of learning how the journal works.
> Oh, no, I saw it and didn't think it was worth commenting on. I
> think it's a brain-dead concept trying to do undelete in the
> filesystem. "recoverable delete" was a problem solved 30 years ago -
> it's commonly known as a trash bin and you do it in userspace with a
> wrapper around unlink that calls rename(2) instead. And then "empty
> trashbin" is what does the unlink and permanently deletes the files.

As a practicing forensicator, I can say "potentially recoverable
files" is a heavily used concept.

I don't know XFS on disk structure in detail, so I'll comment about
HFS+ and NTFS.

NTFS uses a simple linear on disk directory structure and inode (mft)
structure.  Forensic tools look at existing directory structures that
have directory entries marked invalid and they also scan the
unallocated space for directory remnants that were left behind from a
delete operation.  When either are found, they assume the data pointed
at is "potentially recoverable".

I think some tools also parse the NTFS journal, but it is a much less
useful mechanism.

Note that it is understood that the data pointed at by filesystem
remnants may have been overwritten by new data, so it is unreliable.

As a last resort, data carving tools equivalent to photorec are used.
Photorec depends on the files not being fragmented and also fails to
recover any filesystem metadata such as filenames, timestamps, etc.

Macs use HFS+ which uses a btree structure for the directory
structure.  I'm not aware of any forensic tool that attempts to look
for invalid directory remnants with HFS+.  Instead they go straight to
data carving.  It turns out with HFS+ the files are often not
fragmented, so data carving is very successful, but you still don't
get any filesystem metadata.

I believe XFS is similar to HFS+ in this sense.  Data carving would
likely have good results, but looking for filesystem metadata remnants
is a waste of time.  If I'm right, there is not really any research
needed on the deleted file recovery side.

At the same time, I'm not familiar with forensic tool, free or
commercial, that parses the XFS filesystem for live files and
filesystem metadata such as timestamps.  (I could be wrong, it is not
something I've had to research in the last few years.)

> Besides, from a conceptual point of view after-the-fact filesystem
> based undelete is fundamentally flawed. i.e.  the journal is a
> write-ahead logging journal and so can only be used to roll the
> filesystem state forwardi in time. Undelete requires having state
> and data in the journal that allows the filesystem to be rolled
> *backwards in time*. XFS simply does not record such information in
> the log and so parsing the log to "undelete files by transaction
> rollback" just doesn't work.

I suspect you are assuming the goal is "reliable undelete".  The
typical goal is the identification of potentially recoverable files.
I don't know if parsing the XFS journal can help with that.


<Prev in Thread] Current Thread [Next in Thread>