From owner-freebsd-fs@FreeBSD.ORG Tue May 24 17:27:29 2005 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B09D16A41C for ; Tue, 24 May 2005 17:27:29 +0000 (GMT) (envelope-from paul@gromit.dlib.vt.edu) Received: from gromit.dlib.vt.edu (gromit.dlib.vt.edu [128.173.49.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id D373E43D49 for ; Tue, 24 May 2005 17:27:26 +0000 (GMT) (envelope-from paul@gromit.dlib.vt.edu) Received: from zappa.Chelsea-Ct.Org (pool-151-199-7-31.ROA.east.verizon.net [151.199.7.31]) by gromit.dlib.vt.edu (8.13.3/8.13.3) with ESMTP id j4OHROt5071432 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 24 May 2005 13:27:25 -0400 (EDT) (envelope-from paul@gromit.dlib.vt.edu) Received: from zappa.Chelsea-Ct.Org (localhost.Chelsea-Ct.Org [127.0.0.1]) by zappa.Chelsea-Ct.Org (8.13.3/8.13.3) with ESMTP id j4OHRJJH050106 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 24 May 2005 13:27:19 -0400 (EDT) (envelope-from paul@gromit.dlib.vt.edu) Received: (from paul@localhost) by zappa.Chelsea-Ct.Org (8.13.3/8.13.3/Submit) id j4OHRJ7g050105 for freebsd-fs@freebsd.org; Tue, 24 May 2005 13:27:19 -0400 (EDT) (envelope-from paul@gromit.dlib.vt.edu) X-Authentication-Warning: zappa.Chelsea-Ct.Org: paul set sender to paul@gromit.dlib.vt.edu using -f From: Paul Mather To: freebsd-fs@freebsd.org Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Tue, 24 May 2005 13:27:18 -0400 Message-Id: <1116955638.48224.27.camel@zappa.Chelsea-Ct.Org> Mime-Version: 1.0 X-Mailer: Evolution 2.2.2 FreeBSD GNOME Team Port Subject: Recovering UFS2 content via Sleuthkit X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2005 17:27:29 -0000 Has anyone managed successfully to recover deleted file content using, say, Sleuthkit, or is deleted UFS2 content recovery not feasible (aside from sifting manually with a disk sector editor)? I tried Sleuthkit from the ports collection, and although I can find deleted content using it, it's not possible to recover that content because too much important information has been lost from the inode: specifically, although information like the owner and timestamp information appears to be preserved, vital data such as the size, direct blocks, etc. are all zeroed, rendering the deleted content unreachable (or, rather, reducing the problem back to a manual search). So, am I right in thinking that even if the inodes and blocks belonging to a deleted file have not yet been reallocated or used again, it's still not feasible to recover the deleted content easily because of the data loss inflicted upon the deleted file's inode(s)? In other words, that the only data recovery possible is via manual means (searching for signatures and trying to piece together fragments)? Also, I wonder why some, but not all, information is scrubbed when a file becomes deleted (especially information in the inode). Cheers, Paul. PS: Please Cc: me on replies, as I'm not subscribed to this list. -- e-mail: paul@gromit.dlib.vt.edu "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa