From: Stan Hoeppner <stan@hardwarefreak.com>
To: Shaun Gosse <sgosse@sgi.com>, Yongmin <dev.yongmin@gmail.com>,
"xfs@oss.sgi.com" <xfs@oss.sgi.com>
Subject: Re: Hello, I have a question about XFS File System
Date: Fri, 07 Mar 2014 20:22:09 -0600 [thread overview]
Message-ID: <531A7ED1.2050403@hardwarefreak.com> (raw)
In-Reply-To: <8D3FA7645C1CFC4E9E783D22B4C708647305E1F5@P-EXMB2-DC21.corp.sgi.com>
On 3/7/2014 4:40 PM, Shaun Gosse wrote:
> Stan,
>
> If I understand what you're saying here correctly, it sounds like
> there would still be a very tiny window where the journal could be
> relevant, those "few seconds" before it's committed as you said. So
> it would be a rather small corner case, but there might be some use.
> And I think it was already stated to be an academic project...
It could be in the log for milliseconds, many minutes, hours, or even
days, or months, depending on the rate of metadata write activity. XFS
is still primarily for "large and lots". Most organizations using XFS
probably don't have idle journal logs, but very active ones.
> This does makes me curious in turn about how difficult it would be to
> recover journal entries. At a guess, if a person knows the structure
> and it hasn't been overwritten, it'll still be there? Or is it
> automatically overwritten/zero'd when the entry is removed from the
> journal, perhaps as the very mechanism of removal? And presumably
> this window, if any, would also be rather small assuming an active
> filesystem (and an inactive one presumably irrelevant...unless,
> perhaps, it was one where the last action, arbitrarily long ago, was
> a critical delete operation...).
How often are forensics experts brought in within minutes, hours, or
days of an incident of such magnitude prompting them to be hired?
Forensics is typically performed long after the fact, in which case
there's almost zero chance any relevant information will be in the
filesystem journal.
--
Stan
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2014-03-08 2:22 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-06 9:15 Hello, I have a question about XFS File System Yongmin
2014-03-06 20:30 ` Stan Hoeppner
[not found] ` <279D0A265E5D4AF5B099BFAD4E8B1700@gmail.com>
2014-03-07 22:19 ` Stan Hoeppner
2014-03-07 22:40 ` Shaun Gosse
2014-03-08 2:22 ` Stan Hoeppner [this message]
2014-03-07 23:09 ` Dave Chinner
2014-03-08 0:38 ` Greg Freemyer
2014-03-09 0:28 ` Dave Chinner
2014-03-10 17:53 ` Jay Ashworth
2014-03-08 2:08 ` Stan Hoeppner
2014-03-08 3:24 ` Eric Sandeen
2014-03-06 22:59 ` Dave Chinner
2014-03-07 2:23 ` Jeff Liu
2014-03-07 4:19 ` Dave Chinner
2014-03-07 5:23 ` Jeff Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=531A7ED1.2050403@hardwarefreak.com \
--to=stan@hardwarefreak.com \
--cc=dev.yongmin@gmail.com \
--cc=sgosse@sgi.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).