124 lines
3.7 KiB
Groff
124 lines
3.7 KiB
Groff
|
.\"
|
||
|
.\" Copyright (c) 2023 Thomas Lindner <tom@dl6tom.de>
|
||
|
.\"
|
||
|
.\" Permission to use, copy, modify, and distribute this software for any
|
||
|
.\" purpose with or without fee is hereby granted, provided that the above
|
||
|
.\" copyright notice and this permission notice appear in all copies.
|
||
|
.\"
|
||
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||
|
.\"
|
||
|
.Dd February 15, 2023
|
||
|
.Dt DUMP_INODE 8
|
||
|
.Os
|
||
|
.Sh NAME
|
||
|
.Nm dump_inode
|
||
|
.Nd recover deleted files from UFS/UFS2 filesystems
|
||
|
.Sh SYNOPSIS
|
||
|
.Nm dump_inode
|
||
|
.Op Fl ad
|
||
|
.Op Fl i Ar inode
|
||
|
.Op Fl o Ar outputfile
|
||
|
.Ar partition
|
||
|
.Sh DESCRIPTION
|
||
|
.Nm
|
||
|
allows recovery of deleted files by inspecting the inode table, listing of
|
||
|
deleted entries in a directory and dumping of data belonging to an inode.
|
||
|
.Pp
|
||
|
Generally, you would
|
||
|
.Xr umount 8
|
||
|
a filesystem from which you want to recover a deleted file, to avoid
|
||
|
overwriting data.
|
||
|
However, to recover a file with
|
||
|
.Nm
|
||
|
it is required that there is still a process that has the file open, to avoid
|
||
|
that the size and block numbers in the inode are cleared.
|
||
|
Therefore, it is necessary to keep the filesystem mounted.
|
||
|
.Pp
|
||
|
The options are as follows:
|
||
|
.Bl -tag -width Ds
|
||
|
.It Fl a
|
||
|
Iterate over the whole inode table.
|
||
|
Conflicts with
|
||
|
.Fl i Ar inode .
|
||
|
.It Fl d
|
||
|
List directory entries.
|
||
|
Tries to also list deleted entries.
|
||
|
.It Fl i Ar inode
|
||
|
Specify the inode.
|
||
|
Conflicts with
|
||
|
.Fl a .
|
||
|
.It Fl o Ar outputfile
|
||
|
Write the filedata of the inode to
|
||
|
.Ar outputfile .
|
||
|
Requires
|
||
|
.Fl i Ar inode .
|
||
|
Use filename - to write to stdout.
|
||
|
.El
|
||
|
.Pp
|
||
|
If neither
|
||
|
.Fl d
|
||
|
nor
|
||
|
.Fl o Ar outputfile
|
||
|
are specified, the default action is showing the inode content.
|
||
|
You must specify either
|
||
|
.Fl a
|
||
|
or
|
||
|
.Fl i Ar inode .
|
||
|
.Sh EXAMPLES
|
||
|
You can use
|
||
|
.Xr ls 1
|
||
|
to get the inode number of a directory:
|
||
|
.Pp
|
||
|
.Dl # ls -di example
|
||
|
.Dl 1671677 example
|
||
|
.Pp
|
||
|
Then use
|
||
|
.Nm
|
||
|
to list the directory and find the inode number of the deleted file:
|
||
|
.Pp
|
||
|
.Dl # dump_inode -di 1671677 sd1k
|
||
|
.Dl deleted:0 inode:1671677 type:d name:.
|
||
|
.Dl deleted:0 inode:10079295 type:d name:..
|
||
|
.Dl deleted:1 inode:1671678 type:f name:test
|
||
|
.Dl deleted:1 inode:0 type:u name:
|
||
|
.Pp
|
||
|
Otherwise, you can list directories starting from the filesystem root, which
|
||
|
has always inode number 2:
|
||
|
.Pp
|
||
|
.Dl # dump_inode -di 2 sd1k
|
||
|
.Dl deleted:0 inode:2 type:d name:.
|
||
|
.Dl deleted:0 inode:2 type:d name:..
|
||
|
.Dl deleted:0 inode:8303627 type:d name:tom
|
||
|
.Dl deleted:0 inode:522240 type:d name:_sysupgrade
|
||
|
.Dl deleted:0 inode:3 type:d name:lost+found
|
||
|
.Dl deleted:1 inode:1201152 type:d name:test
|
||
|
.Dl deleted:1 inode:8192 type:u name:
|
||
|
.Pp
|
||
|
Note, that the listing of deleted entries is based on heuristics and might be
|
||
|
spurious.
|
||
|
.Pp
|
||
|
If you cannot find the inode number of your file this way, you can try to dump
|
||
|
the whole inode table.
|
||
|
To find your file this way, you need some criteria to identify it e.g. files
|
||
|
that are deleted but still open have nlink 0 but a size that is not 0:
|
||
|
.Pp
|
||
|
.Dl # dump_inode -a sd1k | grep nlink:0 | grep -v size:0
|
||
|
.Dl ...
|
||
|
.Dl inode:1671678 type:f mode:644 nlink:0 uid:1000 gid:1000 size:5 atime:1676817142 mtime:1676817121 ctime:1676817200
|
||
|
.Dl ...
|
||
|
.Pp
|
||
|
Note, that this data might not be written to disk yet and your inode still has
|
||
|
a nlink that is not 0.
|
||
|
You can force writeback to disk with
|
||
|
.Xr sync 8 .
|
||
|
.Pp
|
||
|
Once you got the inode of your file you can recover its data:
|
||
|
.Pp
|
||
|
.Dl # dump_inode -i 1671678 -o test sd1k
|