On 3/7/2014 4:40 PM, Shaun Gosse wrote:
> If I understand what you're saying here correctly, it sounds like
> there would still be a very tiny window where the journal could be
> relevant, those "few seconds" before it's committed as you said. So
> it would be a rather small corner case, but there might be some use.
> And I think it was already stated to be an academic project...
It could be in the log for milliseconds, many minutes, hours, or even
days, or months, depending on the rate of metadata write activity. XFS
is still primarily for "large and lots". Most organizations using XFS
probably don't have idle journal logs, but very active ones.
> This does makes me curious in turn about how difficult it would be to
> recover journal entries. At a guess, if a person knows the structure
> and it hasn't been overwritten, it'll still be there? Or is it
> automatically overwritten/zero'd when the entry is removed from the
> journal, perhaps as the very mechanism of removal? And presumably
> this window, if any, would also be rather small assuming an active
> filesystem (and an inactive one presumably irrelevant...unless,
> perhaps, it was one where the last action, arbitrarily long ago, was
> a critical delete operation...).
How often are forensics experts brought in within minutes, hours, or
days of an incident of such magnitude prompting them to be hired?
Forensics is typically performed long after the fact, in which case
there's almost zero chance any relevant information will be in the