Re: [PATCH] xfs_db: add -R option

public inbox for linux-xfs@vger.kernel.org
 help / color / mirror / Atom feed

From: Dave Chinner <david@fromorbit.com>
To: hal@deer-run.com
Cc: Eric Sandeen <sandeen@sandeen.net>, linux-xfs@vger.kernel.org
Subject: Re: [PATCH] xfs_db: add -R option
Date: Wed, 9 May 2018 10:14:10 +1000	[thread overview]
Message-ID: <20180509001410.GM23861@dastard> (raw)
In-Reply-To: <20180508161353.GA18224@deer-run.com>

On Tue, May 08, 2018 at 11:13:53AM -0500, hal@deer-run.com wrote:
> > Hm, so this probably makes it possible that blockget will wander off
> > into inconsistencies and fail; there's a /reason/ for the check.  So
> > if anything this is probably best-effort.  I doubt you can rely on
> > blockget even completing without error, let alone being correct.  In
> > that case, is it still useful to you?
> 
> I've been testing a modified version of xfs_db on live file systems
> and dirty image files, and I have yet to have blockget fail. I agree
> that it's certainly possible for blockget to blow up under these
> circumstances, but it's working often enough to be useful.

That's a slippery slope.

IMO, the only thing worse than not having a forensic tool for a
specific job is having a forensic tool provided by a trusted toolkit
whose results are unreliable and cannot be trusted....

> > What sort of information do you hope to gather after running
> > blockget without a replay?
> 
> Suppose I can match a string or magic number for a file of interest
> at a specific byte offset in the file system image. A little arithmetic
> and I have a daddr value. xfs_db let's me convert that to an fsblock
> and then call blockuse -n to get the inode and file path. I've tried
> it, and it works with my modifed xfs_db.

There are so many ways that can go wrong on a live filesystem.
Regardless of whether you've personally seen it go wrong, it's still
not a reliable method of information extraction. And we know that
there's every chance that xfs_db will stumble on something
unexpected in a live filesystem traversal and just crash.

FWIW, blockuse -n also requires a full filesystem scan to find the
file path (i.e. via blockget -n). That can take a long time, affect
anything that is running on the machine at the time. And by the time
it's all done, there's no guarantee the path it comes up will be
valid or correct....

What you are trying to do - offset/block to owner path lookups on
live filesystems - is something that the FSMAP ioctl and the
upcoming parent pointer functionality will solve.....

> Until we get XFS support into libsleuthkit (which I'm working towards,
> but it's going to be a while), having this functionality lets me
> use xfs_db as a forensic tool. And it also lets me use xfs_db to
> validate other forensic tools.

I'd suggest, in that case, that you limit it's use to off-line or
read-only snapshots of online filesystems? This would mean that the
results of xfs_db operations (while eceedingly slow) will be
reliable.

Cheers,

Dave.

-- 
Dave Chinner
david@fromorbit.com

     prev parent reply	other threads:[~2018-05-09  0:14 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-04 14:02 [PATCH] xfs_db: add -R option hal
2018-05-04 15:32 ` Darrick J. Wong
2018-05-07 11:35   ` hal
2018-05-07 12:56     ` hal
2018-05-08  1:21       ` Darrick J. Wong
2018-05-08 13:55 ` Eric Sandeen
2018-05-08 16:13   ` hal
2018-05-08 16:27     ` Eric Sandeen
2018-05-08 16:43       ` hal
2018-05-08 16:58         ` Darrick J. Wong
2018-05-09  0:14     ` Dave Chinner [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180509001410.GM23861@dastard \
    --to=david@fromorbit.com \
    --cc=hal@deer-run.com \
    --cc=linux-xfs@vger.kernel.org \
    --cc=sandeen@sandeen.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox