All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stan Hoeppner <stan@hardwarefreak.com>
To: Yongmin <dev.yongmin@gmail.com>, "xfs@oss.sgi.com" <xfs@oss.sgi.com>
Subject: Re: Hello, I have a question about XFS File System
Date: Fri, 07 Mar 2014 16:19:44 -0600	[thread overview]
Message-ID: <531A4600.7050906@hardwarefreak.com> (raw)
In-Reply-To: <279D0A265E5D4AF5B099BFAD4E8B1700@gmail.com>

Please reply to the mailing list as well as the individual.

Note that you stated:

'...the concentrated part of mine is "Deleted File Recovery"'

On 3/6/2014 10:02 PM, Yongmin wrote:
> 
> Yes! there are no actual file data in journaling part.
> 
> BUT, by analyzing journaling part, we can get a Inode Core Information which was deleted.
> In Inode Core, there are many information about the actual data, i.e. start address, file length etc.

Analyzing the journal code may inform you about structures, but it won't
inform you about on disk locations of the structures and how to find
them.  If a file has been deleted, no information about that is going to
exist in the journal for more than a few seconds before the transaction
is committed and the entry removed from the journal.

> By using those information, Recovering delete file can be done.
> 
> So the analysis of Journaling part is absolutely needed.  

I disagree.  Again, the journal log is unrelated to "deleted file
recovery" in a forensics scenario.

I think Dave and Jeff both missed the fact that you're interested only
in deleted file recovery, not in learning how the journal works for the
sake of learning how the journal works.


> =======================
>         from Yongmin Park  
> =======================
> 
> 
> On 2014년 3월 7일 Friday at 오전 5:30, Stan Hoeppner wrote:
> 
>> On 3/6/2014 3:15 AM, Yongmin wrote:
>>>  
>>> Hello.
>>>  
>>> My name is Yongmin Park and I am a graduated student in Ajou
>>> University (Korea). My research area is Digital Forensics. And this
>>> time i tried to understand the structure of XFS file system, because
>>> XFS is one of the famous huge file system in these days.
>>>  
>>> I already founded and read 'XFS Filesystem Structure 2nd Edition
>>> Revision 1' on the Internet, which was written by Silicon Graphics
>>> Inc in 2006 and it is really well written to understand.
>>>  
>>> But the concentrated part of mine is "Deleted File Recovery", so the
>>> Journaling part is really important for me,, but regretfully there
>>> are no specific guide line about Journaling part... Also next
>>> version(maybe the 3re Edition) is not exsist for more than a 5
>>> years.
>>>  
>>> So is there no guide line for journaling part in XFS? How can i get
>>> them,, have I to buy them? or Is Analysing Source Cord only way to
>>> study?
>>>  
>>  
>>  
>> The journal only contains in flight transactional metadata for recovery
>> purposes after a system crash or power loss, to prevent filesystem, i.e.
>> metadata, corruption. The journal does not contain file data. During
>> normal operation, once the metadata has been written into an allocation
>> group the transactional entry in the journal is removed. Thus,
>> recovering deleted files has nothing to do with the journal.
>>  
>> This may be helpful:
>> http://xfs.org/index.php/XFS_FAQ#Q:_Does_the_filesystem_have_an_undelete_capability.3F


-- 
Stan

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

  parent reply	other threads:[~2014-03-07 22:19 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-06  9:15 Hello, I have a question about XFS File System Yongmin
2014-03-06 20:30 ` Stan Hoeppner
     [not found]   ` <279D0A265E5D4AF5B099BFAD4E8B1700@gmail.com>
2014-03-07 22:19     ` Stan Hoeppner [this message]
2014-03-07 22:40       ` Shaun Gosse
2014-03-08  2:22         ` Stan Hoeppner
2014-03-07 23:09       ` Dave Chinner
2014-03-08  0:38         ` Greg Freemyer
2014-03-09  0:28           ` Dave Chinner
2014-03-10 17:53             ` Jay Ashworth
2014-03-08  2:08         ` Stan Hoeppner
2014-03-08  3:24           ` Eric Sandeen
2014-03-06 22:59 ` Dave Chinner
2014-03-07  2:23   ` Jeff Liu
2014-03-07  4:19     ` Dave Chinner
2014-03-07  5:23       ` Jeff Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=531A4600.7050906@hardwarefreak.com \
    --to=stan@hardwarefreak.com \
    --cc=dev.yongmin@gmail.com \
    --cc=xfs@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.