RE: Hello, I have a question about XFS File System

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stan,

If I understand what you're saying here correctly, it sounds like there would still be a very tiny window where the journal could be relevant, those "few seconds" before it's committed as you said. So it would be a rather small corner case, but there might be some use. And I think it was already stated to be an academic project...

This does makes me curious in turn about how difficult it would be to recover journal entries. At a guess, if a person knows the structure and it hasn't been overwritten, it'll still be there? Or is it automatically overwritten/zero'd when the entry is removed from the journal, perhaps as the very mechanism of removal? And presumably this window, if any, would also be rather small assuming an active filesystem (and an inactive one presumably irrelevant...unless, perhaps, it was one where the last action, arbitrarily long ago, was a critical delete operation...).

Cheers,
-Shaun

-----Original Message-----
From: xfs-bounces@xxxxxxxxxxx [mailto:xfs-bounces@xxxxxxxxxxx] On Behalf Of Stan Hoeppner
Sent: Friday, March 07, 2014 4:20 PM
To: Yongmin; xfs@xxxxxxxxxxx
Subject: Re: Hello, I have a question about XFS File System

Please reply to the mailing list as well as the individual.

Note that you stated:

'...the concentrated part of mine is "Deleted File Recovery"'

On 3/6/2014 10:02 PM, Yongmin wrote:
> 
> Yes! there are no actual file data in journaling part.
> 
> BUT, by analyzing journaling part, we can get a Inode Core Information which was deleted.
> In Inode Core, there are many information about the actual data, i.e. start address, file length etc.

Analyzing the journal code may inform you about structures, but it won't inform you about on disk locations of the structures and how to find them.  If a file has been deleted, no information about that is going to exist in the journal for more than a few seconds before the transaction is committed and the entry removed from the journal.

> By using those information, Recovering delete file can be done.
> 
> So the analysis of Journaling part is absolutely needed.  

I disagree.  Again, the journal log is unrelated to "deleted file recovery" in a forensics scenario.

I think Dave and Jeff both missed the fact that you're interested only in deleted file recovery, not in learning how the journal works for the sake of learning how the journal works.


> =======================
>         from Yongmin Park
> =======================
> 
> 
> On 2014년 3월 7일 Friday at 오전 5:30, Stan Hoeppner wrote:
> 
>> On 3/6/2014 3:15 AM, Yongmin wrote:
>>>  
>>> Hello.
>>>  
>>> My name is Yongmin Park and I am a graduated student in Ajou 
>>> University (Korea). My research area is Digital Forensics. And this 
>>> time i tried to understand the structure of XFS file system, because 
>>> XFS is one of the famous huge file system in these days.
>>>  
>>> I already founded and read 'XFS Filesystem Structure 2nd Edition 
>>> Revision 1' on the Internet, which was written by Silicon Graphics 
>>> Inc in 2006 and it is really well written to understand.
>>>  
>>> But the concentrated part of mine is "Deleted File Recovery", so the 
>>> Journaling part is really important for me,, but regretfully there 
>>> are no specific guide line about Journaling part... Also next 
>>> version(maybe the 3re Edition) is not exsist for more than a 5 
>>> years.
>>>  
>>> So is there no guide line for journaling part in XFS? How can i get 
>>> them,, have I to buy them? or Is Analysing Source Cord only way to 
>>> study?
>>>  
>>  
>>  
>> The journal only contains in flight transactional metadata for 
>> recovery purposes after a system crash or power loss, to prevent filesystem, i.e.
>> metadata, corruption. The journal does not contain file data. During 
>> normal operation, once the metadata has been written into an 
>> allocation group the transactional entry in the journal is removed. 
>> Thus, recovering deleted files has nothing to do with the journal.
>>  
>> This may be helpful:
>> http://xfs.org/index.php/XFS_FAQ#Q:_Does_the_filesystem_have_an_undel
>> ete_capability.3F


--
Stan

_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs





[Index of Archives]     [Linux XFS Devel]     [Linux Filesystem Development]     [Filesystem Testing]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux