Recovering UFS2 content via Sleuthkit
Paul Mather
paul at gromit.dlib.vt.edu
Tue May 24 17:27:29 GMT 2005
Has anyone managed successfully to recover deleted file content using,
say, Sleuthkit, or is deleted UFS2 content recovery not feasible (aside
from sifting manually with a disk sector editor)?
I tried Sleuthkit from the ports collection, and although I can find
deleted content using it, it's not possible to recover that content
because too much important information has been lost from the inode:
specifically, although information like the owner and timestamp
information appears to be preserved, vital data such as the size, direct
blocks, etc. are all zeroed, rendering the deleted content unreachable
(or, rather, reducing the problem back to a manual search).
So, am I right in thinking that even if the inodes and blocks belonging
to a deleted file have not yet been reallocated or used again, it's
still not feasible to recover the deleted content easily because of the
data loss inflicted upon the deleted file's inode(s)? In other words,
that the only data recovery possible is via manual means (searching for
signatures and trying to piece together fragments)?
Also, I wonder why some, but not all, information is scrubbed when a
file becomes deleted (especially information in the inode).
Cheers,
Paul.
PS: Please Cc: me on replies, as I'm not subscribed to this list.
--
e-mail: paul at gromit.dlib.vt.edu
"Without music to decorate it, time is just a bunch of boring production
deadlines or dates by which bills must be paid."
--- Frank Vincent Zappa
More information about the freebsd-fs
mailing list