From 4a10e87da5fc78dbcec707b8153a35b8abece488 Mon Sep 17 00:00:00 2001 From: Thomas Lindner Date: Sun, 19 Feb 2023 17:02:14 +0100 Subject: [PATCH] add README and man page --- Makefile | 1 + README | 4 ++ dump_inode.8 | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 128 insertions(+) create mode 100644 README create mode 100644 dump_inode.8 diff --git a/Makefile b/Makefile index 2347abe..aee0664 100644 --- a/Makefile +++ b/Makefile @@ -8,4 +8,5 @@ clean: rm -f dump_inode install: + install -D dump_inode.8 $(DESTDIR)$(PREFIX)/man/man8/dump_inode.8 install -Ds dump_inode $(DESTDIR)$(PREFIX)/sbin/dump_inode diff --git a/README b/README new file mode 100644 index 0000000..2590ed6 --- /dev/null +++ b/README @@ -0,0 +1,4 @@ +A small tool to recover deleted files from UFS/UFS2 filesystems on +OpenBSD. Might also work on other BSD variants, but I have not +tested this. It allows inspecting the inode table, listing of deleted +entries in a directory and dumping of data belonging to an inode. diff --git a/dump_inode.8 b/dump_inode.8 new file mode 100644 index 0000000..a5abe16 --- /dev/null +++ b/dump_inode.8 @@ -0,0 +1,123 @@ +.\" +.\" Copyright (c) 2023 Thomas Lindner +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd February 15, 2023 +.Dt DUMP_INODE 8 +.Os +.Sh NAME +.Nm dump_inode +.Nd recover deleted files from UFS/UFS2 filesystems +.Sh SYNOPSIS +.Nm dump_inode +.Op Fl ad +.Op Fl i Ar inode +.Op Fl o Ar outputfile +.Ar partition +.Sh DESCRIPTION +.Nm +allows recovery of deleted files by inspecting the inode table, listing of +deleted entries in a directory and dumping of data belonging to an inode. +.Pp +Generally, you would +.Xr umount 8 +a filesystem from which you want to recover a deleted file, to avoid +overwriting data. +However, to recover a file with +.Nm +it is required that there is still a process that has the file open, to avoid +that the size and block numbers in the inode are cleared. +Therefore, it is necessary to keep the filesystem mounted. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl a +Iterate over the whole inode table. +Conflicts with +.Fl i Ar inode . +.It Fl d +List directory entries. +Tries to also list deleted entries. +.It Fl i Ar inode +Specify the inode. +Conflicts with +.Fl a . +.It Fl o Ar outputfile +Write the filedata of the inode to +.Ar outputfile . +Requires +.Fl i Ar inode . +Use filename - to write to stdout. +.El +.Pp +If neither +.Fl d +nor +.Fl o Ar outputfile +are specified, the default action is showing the inode content. +You must specify either +.Fl a +or +.Fl i Ar inode . +.Sh EXAMPLES +You can use +.Xr ls 1 +to get the inode number of a directory: +.Pp +.Dl # ls -di example +.Dl 1671677 example +.Pp +Then use +.Nm +to list the directory and find the inode number of the deleted file: +.Pp +.Dl # dump_inode -di 1671677 sd1k +.Dl deleted:0 inode:1671677 type:d name:. +.Dl deleted:0 inode:10079295 type:d name:.. +.Dl deleted:1 inode:1671678 type:f name:test +.Dl deleted:1 inode:0 type:u name: +.Pp +Otherwise, you can list directories starting from the filesystem root, which +has always inode number 2: +.Pp +.Dl # dump_inode -di 2 sd1k +.Dl deleted:0 inode:2 type:d name:. +.Dl deleted:0 inode:2 type:d name:.. +.Dl deleted:0 inode:8303627 type:d name:tom +.Dl deleted:0 inode:522240 type:d name:_sysupgrade +.Dl deleted:0 inode:3 type:d name:lost+found +.Dl deleted:1 inode:1201152 type:d name:test +.Dl deleted:1 inode:8192 type:u name: +.Pp +Note, that the listing of deleted entries is based on heuristics and might be +spurious. +.Pp +If you cannot find the inode number of your file this way, you can try to dump +the whole inode table. +To find your file this way, you need some criteria to identify it e.g. files +that are deleted but still open have nlink 0 but a size that is not 0: +.Pp +.Dl # dump_inode -a sd1k | grep nlink:0 | grep -v size:0 +.Dl ... +.Dl inode:1671678 type:f mode:644 nlink:0 uid:1000 gid:1000 size:5 atime:1676817142 mtime:1676817121 ctime:1676817200 +.Dl ... +.Pp +Note, that this data might not be written to disk yet and your inode still has +a nlink that is not 0. +You can force writeback to disk with +.Xr sync 8 . +.Pp +Once you got the inode of your file you can recover its data: +.Pp +.Dl # dump_inode -i 1671678 -o test sd1k