[Top] [All Lists]

Recovery of deleted files/directories

To: xfs@xxxxxxxxxxx
Subject: Recovery of deleted files/directories
From: Felipe Monteiro de Carvalho <felipemonteiro.carvalho@xxxxxxxxx>
Date: Thu, 7 Aug 2014 15:41:57 +0200
Delivered-to: xfs@xxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=JSe1XwPUNRCHSPCx+kCY2pR5A4ZxAHxwgrkip9FwzkA=; b=Py3UBJDi/EYLfGzaofsgsYV+4p3JUnhX3HpVUYBy+iZP/4MJ3lC8sBwyQdezfxMjkZ wtezzkazCVTAMKgclYJFfD1g5SPUYOp4uKArd9MGR+nyPQRjUNOLpp2l75ZtU4tKba8p 07A53H+3dqR9mQQ75zzy9Rln6G4eUmZQJqzcGoiPNe5drqRvy/gaJZ9LJ5221SmEGg+6 PNcNIifitPRamUY2US8rsTRU3OmhZnx4b6aWJPtDuQcb+o/WqcCMv+RUb0TsPUtKpM5D 7CNynwu7Pf82md8kJEH3zXhQVFukbHiBokGNIgwsyzlHdDKVSUIyhwN1P9QIo7Ruilki 8QpA==
On Thu, Aug 7, 2014 at 2:56 PM, Brian Foster <bfoster@xxxxxxxxxx> wrote:
>> But di_mode in particular is a key element as I am using it to
>> differentiate files from directories.
> In general you can't rely on on-disk data once the inode has been freed.
> Perhaps you should start a new thread with some kind of write up about
> what you're trying to accomplish and how you're going about it.

Yes, I know it is unreliable, and that's OK for me. I'm satisfied in
having a best effort solution which works often, it does not have to
be fully reliable.

What I am trying to accomplish is quite simple: Recover as many
deleted files in a XFS partition as possible. For example if someone
deletes a file by mistake, how to get it back?

And the current place where I got stuck is exactly the post-xfs_ifree
inode, specifically deciding if the inode is a directory or a file. In
my hex editor I see that all the information is still there, it would
be a petty to give up when so little is missing.

That di_format is overwritten is a big problem too, but I think I can
work around it by trying each format and choose the best result from
all tries.

Also, I just noticed that di_size is also overwritten ... which will
be very bad for file recovery.

But knowing if the inode is a file or a directory is the most pressing issue.

For a better illustration, here is the data I see for a directory
(xfs_del is the deleted, xfs_orig is before delete):


And the same for a file:


Well, it might be that what I want to do is impossible, but I just I
might ask in case anyone knows any other way to differentiate a file
from a directory, if at least this information is present I could
somehow work around the other issues.

Felipe Monteiro de Carvalho

<Prev in Thread] Current Thread [Next in Thread>