From owner-freebsd-fs@FreeBSD.ORG Sat Feb 22 07:49:13 2014 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CFF9C98F for ; Sat, 22 Feb 2014 07:49:13 +0000 (UTC) Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A80291C07 for ; Sat, 22 Feb 2014 07:49:13 +0000 (UTC) Received: by mail-pa0-f50.google.com with SMTP id kp14so4401086pab.23 for ; Fri, 21 Feb 2014 23:49:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=cP7p2huCI7A8vwgRP+1nnf/MzJx8E3gjTfXrWkRdhig=; b=uJYEZQOdNlcndPOtN3KwT45Pd9aujEYqfgjOPtqsT+HiCDJj2qXftOTVMOS9AIXJsw /rZlHYW576PSNUKZVDgpp0Jj4lWiq3Mlfjq/DPntANdryVyC1csSBGzpOu8GyeIG0Hck 1Rgj/eYCCfH2nWn0pLAzlpYfUmzfLXbjbPgWL5ib/NtHYRAbbGEQQrQqiLuJeOTpLF0s CQwyzw9dn7Fv+3uO/IgitKsnuYYhhzeLmCaU5PlmFgNG3vQqneE4B2JoJZI1Y0vsVNnx DZjb3mrTk/or6bkXuel53bBpZ2J1BV8+TTuY9KpLykvEQWST1ap6t6V+H1fWSbzjsxz9 SfGw== MIME-Version: 1.0 X-Received: by 10.69.19.139 with SMTP id gu11mr13743522pbd.149.1393055352753; Fri, 21 Feb 2014 23:49:12 -0800 (PST) Received: by 10.66.27.75 with HTTP; Fri, 21 Feb 2014 23:49:12 -0800 (PST) In-Reply-To: References: Date: Sat, 22 Feb 2014 08:49:12 +0100 Message-ID: Subject: Re: Recovering deleted file, strange structure From: Felipe Monteiro de Carvalho To: freebsd-fs@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2014 07:49:13 -0000 Hello, Really no ideas what this structure is? =( thanks, Felipe Monteiro de Carvalho On Thu, Feb 6, 2014 at 2:20 PM, Felipe Monteiro de Carvalho wrote: > Hello, > > I am implementing a software to recover deleted files in UFS-1/2. > Right now I am first focusing in UFS-2, so I created a partition, > added some files, deleted a file, and then added more files. > > The name of the file (10MB_88.bin) completely vanished from the disk > image, and it's inode and dir entry were also overwritten. > > But I found this strange place in the disk where I can clearly see > references to the first and following block fragments of the disk ($B0 > 12 00 00 00 00 00 00), see this screenshot here: > > http://imageshack.com/a/img546/3399/o1lz.png > > But what kind of section/structure is this? I am reading the source > code of FreeBSD UFS driver, and I attempted to compare to the structs > there, but nothing seams to match ... each $20 bytes we have a new > record with a reference to a block fragment. > > I tried to compare to the ufs_cylinder_group but it doesn't match ... > so any ideas which struct / place in the source code is utilized to > create this structure? > > thank you very much =) > -- > Felipe Monteiro de Carvalho -- Felipe Monteiro de Carvalho