Date: Thu, 6 Feb 2014 08:20:32 -0500 From: Felipe Monteiro de Carvalho <felipemonteiro.carvalho@gmail.com> To: freebsd-fs@freebsd.org Subject: Recovering deleted file, strange structure Message-ID: <CACyNnZN%2B10U=aTO-y1kLv3_3Z7J2HZ4TYMrp9fewJ=XNYSZEyQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I am implementing a software to recover deleted files in UFS-1/2. Right now I am first focusing in UFS-2, so I created a partition, added some files, deleted a file, and then added more files. The name of the file (10MB_88.bin) completely vanished from the disk image, and it's inode and dir entry were also overwritten. But I found this strange place in the disk where I can clearly see references to the first and following block fragments of the disk ($B0 12 00 00 00 00 00 00), see this screenshot here: http://imageshack.com/a/img546/3399/o1lz.png But what kind of section/structure is this? I am reading the source code of FreeBSD UFS driver, and I attempted to compare to the structs there, but nothing seams to match ... each $20 bytes we have a new record with a reference to a block fragment. I tried to compare to the ufs_cylinder_group but it doesn't match ... so any ideas which struct / place in the source code is utilized to create this structure? thank you very much =) -- Felipe Monteiro de Carvalho
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACyNnZN%2B10U=aTO-y1kLv3_3Z7J2HZ4TYMrp9fewJ=XNYSZEyQ>