Recovering deleted file, strange structure
Felipe Monteiro de Carvalho
felipemonteiro.carvalho at gmail.com
Thu Feb 6 13:20:34 UTC 2014
Hello,
I am implementing a software to recover deleted files in UFS-1/2.
Right now I am first focusing in UFS-2, so I created a partition,
added some files, deleted a file, and then added more files.
The name of the file (10MB_88.bin) completely vanished from the disk
image, and it's inode and dir entry were also overwritten.
But I found this strange place in the disk where I can clearly see
references to the first and following block fragments of the disk ($B0
12 00 00 00 00 00 00), see this screenshot here:
http://imageshack.com/a/img546/3399/o1lz.png
But what kind of section/structure is this? I am reading the source
code of FreeBSD UFS driver, and I attempted to compare to the structs
there, but nothing seams to match ... each $20 bytes we have a new
record with a reference to a block fragment.
I tried to compare to the ufs_cylinder_group but it doesn't match ...
so any ideas which struct / place in the source code is utilized to
create this structure?
thank you very much =)
--
Felipe Monteiro de Carvalho
More information about the freebsd-fs
mailing list