Discussion:
Recovery of deleted files/directories
Felipe Monteiro de Carvalho
2014-08-07 13:41:57 UTC
Permalink
But di_mode in particular is a key element as I am using it to
differentiate files from directories.
In general you can't rely on on-disk data once the inode has been freed.
Perhaps you should start a new thread with some kind of write up about
what you're trying to accomplish and how you're going about it.
Yes, I know it is unreliable, and that's OK for me. I'm satisfied in
having a best effort solution which works often, it does not have to
be fully reliable.

What I am trying to accomplish is quite simple: Recover as many
deleted files in a XFS partition as possible. For example if someone
deletes a file by mistake, how to get it back?

And the current place where I got stuck is exactly the post-xfs_ifree
inode, specifically deciding if the inode is a directory or a file. In
my hex editor I see that all the information is still there, it would
be a petty to give up when so little is missing.

That di_format is overwritten is a big problem too, but I think I can
work around it by trying each format and choose the best result from
all tries.

Also, I just noticed that di_size is also overwritten ... which will
be very bad for file recovery.

But knowing if the inode is a file or a directory is the most pressing issue.

For a better illustration, here is the data I see for a directory
(xfs_del is the deleted, xfs_orig is before delete):

Loading Image...

And the same for a file:

Loading Image...

Well, it might be that what I want to do is impossible, but I just I
might ask in case anyone knows any other way to differentiate a file
from a directory, if at least this information is present I could
somehow work around the other issues.

thanks,
--
Felipe Monteiro de Carvalho
Eric Sandeen
2014-08-07 14:45:43 UTC
Permalink
Post by Felipe Monteiro de Carvalho
But di_mode in particular is a key element as I am using it to
differentiate files from directories.
In general you can't rely on on-disk data once the inode has been freed.
Perhaps you should start a new thread with some kind of write up about
what you're trying to accomplish and how you're going about it.
Yes, I know it is unreliable, and that's OK for me. I'm satisfied in
having a best effort solution which works often, it does not have to
be fully reliable.
What I am trying to accomplish is quite simple: Recover as many
deleted files in a XFS partition as possible. For example if someone
deletes a file by mistake, how to get it back?
Do you have a link to the project you're working on? Is it an open
source tool?

There's another tool out there already called "xfs_irecover" which
looks for any inode anywhere on disk, and tries to copy back out any
data that it points to, deleted or not. It could use some love.

Thanks,
-Eric
Felipe Monteiro de Carvalho
2014-08-08 08:54:18 UTC
Permalink
Post by Eric Sandeen
Do you have a link to the project you're working on? Is it an open
source tool?
At the moment its only local in my computer, I'm first trying to get
it to work and afterwards think about what to do with it...
Post by Eric Sandeen
There's another tool out there already called "xfs_irecover" which
looks for any inode anywhere on disk, and tries to copy back out any
data that it points to, deleted or not. It could use some love.
Nice! So indeed it's possible =) From what I could understand it looks
like that it recovers only file, not really directories, and it seams
to suppose that the files have format extent, so I suppose that it
won't work with very small files (with local data in the inode) and
neither will work in files with format btree.

Still, it should be able to recover most files I guess that local and
btree formats are less commonly found.
--
Felipe Monteiro de Carvalho
Continue reading on narkive:
Loading...