Thomas Lindner
parent
5bbbed059e
commit
4a10e87da5
1
Makefile
1
Makefile
|
|
@ -8,4 +8,5 @@ clean:
|
|||
rm -f dump_inode
|
||||
|
||||
install:
|
||||
install -D dump_inode.8 $(DESTDIR)$(PREFIX)/man/man8/dump_inode.8
|
||||
install -Ds dump_inode $(DESTDIR)$(PREFIX)/sbin/dump_inode
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
A small tool to recover deleted files from UFS/UFS2 filesystems on
|
||||
OpenBSD. Might also work on other BSD variants, but I have not
|
||||
tested this. It allows inspecting the inode table, listing of deleted
|
||||
entries in a directory and dumping of data belonging to an inode.
|
||||
|
|
@ -0,0 +1,123 @@
|
|||
.\"
|
||||
.\" Copyright (c) 2023 Thomas Lindner <tom@dl6tom.de>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd February 15, 2023
|
||||
.Dt DUMP_INODE 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm dump_inode
|
||||
.Nd recover deleted files from UFS/UFS2 filesystems
|
||||
.Sh SYNOPSIS
|
||||
.Nm dump_inode
|
||||
.Op Fl ad
|
||||
.Op Fl i Ar inode
|
||||
.Op Fl o Ar outputfile
|
||||
.Ar partition
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
allows recovery of deleted files by inspecting the inode table, listing of
|
||||
deleted entries in a directory and dumping of data belonging to an inode.
|
||||
.Pp
|
||||
Generally, you would
|
||||
.Xr umount 8
|
||||
a filesystem from which you want to recover a deleted file, to avoid
|
||||
overwriting data.
|
||||
However, to recover a file with
|
||||
.Nm
|
||||
it is required that there is still a process that has the file open, to avoid
|
||||
that the size and block numbers in the inode are cleared.
|
||||
Therefore, it is necessary to keep the filesystem mounted.
|
||||
.Pp
|
||||
The options are as follows:
|
||||
.Bl -tag -width Ds
|
||||
.It Fl a
|
||||
Iterate over the whole inode table.
|
||||
Conflicts with
|
||||
.Fl i Ar inode .
|
||||
.It Fl d
|
||||
List directory entries.
|
||||
Tries to also list deleted entries.
|
||||
.It Fl i Ar inode
|
||||
Specify the inode.
|
||||
Conflicts with
|
||||
.Fl a .
|
||||
.It Fl o Ar outputfile
|
||||
Write the filedata of the inode to
|
||||
.Ar outputfile .
|
||||
Requires
|
||||
.Fl i Ar inode .
|
||||
Use filename - to write to stdout.
|
||||
.El
|
||||
.Pp
|
||||
If neither
|
||||
.Fl d
|
||||
nor
|
||||
.Fl o Ar outputfile
|
||||
are specified, the default action is showing the inode content.
|
||||
You must specify either
|
||||
.Fl a
|
||||
or
|
||||
.Fl i Ar inode .
|
||||
.Sh EXAMPLES
|
||||
You can use
|
||||
.Xr ls 1
|
||||
to get the inode number of a directory:
|
||||
.Pp
|
||||
.Dl # ls -di example
|
||||
.Dl 1671677 example
|
||||
.Pp
|
||||
Then use
|
||||
.Nm
|
||||
to list the directory and find the inode number of the deleted file:
|
||||
.Pp
|
||||
.Dl # dump_inode -di 1671677 sd1k
|
||||
.Dl deleted:0 inode:1671677 type:d name:.
|
||||
.Dl deleted:0 inode:10079295 type:d name:..
|
||||
.Dl deleted:1 inode:1671678 type:f name:test
|
||||
.Dl deleted:1 inode:0 type:u name:
|
||||
.Pp
|
||||
Otherwise, you can list directories starting from the filesystem root, which
|
||||
has always inode number 2:
|
||||
.Pp
|
||||
.Dl # dump_inode -di 2 sd1k
|
||||
.Dl deleted:0 inode:2 type:d name:.
|
||||
.Dl deleted:0 inode:2 type:d name:..
|
||||
.Dl deleted:0 inode:8303627 type:d name:tom
|
||||
.Dl deleted:0 inode:522240 type:d name:_sysupgrade
|
||||
.Dl deleted:0 inode:3 type:d name:lost+found
|
||||
.Dl deleted:1 inode:1201152 type:d name:test
|
||||
.Dl deleted:1 inode:8192 type:u name:
|
||||
.Pp
|
||||
Note, that the listing of deleted entries is based on heuristics and might be
|
||||
spurious.
|
||||
.Pp
|
||||
If you cannot find the inode number of your file this way, you can try to dump
|
||||
the whole inode table.
|
||||
To find your file this way, you need some criteria to identify it e.g. files
|
||||
that are deleted but still open have nlink 0 but a size that is not 0:
|
||||
.Pp
|
||||
.Dl # dump_inode -a sd1k | grep nlink:0 | grep -v size:0
|
||||
.Dl ...
|
||||
.Dl inode:1671678 type:f mode:644 nlink:0 uid:1000 gid:1000 size:5 atime:1676817142 mtime:1676817121 ctime:1676817200
|
||||
.Dl ...
|
||||
.Pp
|
||||
Note, that this data might not be written to disk yet and your inode still has
|
||||
a nlink that is not 0.
|
||||
You can force writeback to disk with
|
||||
.Xr sync 8 .
|
||||
.Pp
|
||||
Once you got the inode of your file you can recover its data:
|
||||
.Pp
|
||||
.Dl # dump_inode -i 1671678 -o test sd1k
|
||||
Loading…
Reference in New Issue