From owner-freebsd-security Thu Oct 4 4:23:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from medialab.lostboys.nl (medialab.lostboys.nl [194.109.72.254]) by hub.freebsd.org (Postfix) with ESMTP id BEFC637B401 for ; Thu, 4 Oct 2001 04:23:09 -0700 (PDT) Received: from buur.medialab.lostboys.nl (root@buur.medialab.lostboys.nl [194.109.110.8]) by medialab.lostboys.nl (8.9.3/8.9.3) with ESMTP id NAA23746; Thu, 4 Oct 2001 13:28:56 +0200 (CEST) Received: from darkroom.medialab.lostboys.nl (ip-037.medialab.lostboys.nl [194.109.110.37]) by buur.medialab.lostboys.nl (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id NAA14016; Thu, 4 Oct 2001 13:24:08 +0200 Received: by darkroom.medialab.lostboys.nl (Postfix, from userid 1000) id 1514315F7; Thu, 4 Oct 2001 13:22:57 +0200 (CEST) Date: Thu, 4 Oct 2001 13:22:56 +0200 From: Martijn Lina To: freebsd-security@freebsd.org Cc: Thomas Beauchamp Subject: Re: recovery from 'rm -rf /' Message-ID: <20011004132256.J28329@medialab.lostboys.nl> Mail-Followup-To: freebsd-security@freebsd.org, Thomas Beauchamp References: <20011003223038.G28329@medialab.lostboys.nl> <64563.1002193406@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1hKfHPzOXWu1rh0v" Content-Disposition: inline In-Reply-To: <64563.1002193406@axl.seasidesoftware.co.za> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --1hKfHPzOXWu1rh0v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Once upon a 04-10-2001, Sheldon Hearn hit keys in the following order: >=20 > > first of all, be sure that absolutely nothing is writing to the disk > > anymore. the inodes that have been freed last, will be the first to be > > used again. >=20 > Are you sure about that? pretty sure. Wietse Venema said that in a Dr. Dobb's journal: For all intents and purposes, when you delete a file with "rm" it is gone. Once you "rm" a file, the system totally forgets which blocks scattered around the disk were part of your file. Even worse, the blocks from the file you just deleted are going to be the first ones taken and scribbled upon when the system needs more disk space. http://www.ddj.com/articles/2000/0012/0012h/0012h.htm i think it's because of better performance. if the system has no info about which inodes are free to write to, it would have to look on the disc which = one can be used. if inodes are deleted, the system would benifit from keeping references of those unallocated inodes in memory, so it wouldn't have to lo= ok on the disc. saves time... some other links to similar articles can be found here: http://www.fish.com/forensics/ just when i was in search of that article, i found tctutils, an extention to Wietse's tct which might be usefull: http://www.cerias.purdue.edu/homes/carrier/forensics/ martijn --1hKfHPzOXWu1rh0v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7vEaQw/5eikYCPQYRAiXWAJ9FJBvy57veMFyeBlZ1nY3NAgxepgCdEjnk arRhfoViqTRxfjFioCHHkWY= =jtm1 -----END PGP SIGNATURE----- --1hKfHPzOXWu1rh0v-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message