vmann
/
dump_inode
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
dump_inode/dump_inode.8

124 lines
3.7 KiB
Groff
Raw Permalink Blame History

.\"
.\" Copyright (c) 2023 Thomas Lindner <tom@dl6tom.de>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd February 15, 2023
.Dt DUMP_INODE 8
.Os
.Sh NAME
.Nm dump_inode
.Nd recover deleted files from UFS/UFS2 filesystems
.Sh SYNOPSIS
.Nm dump_inode
.Op Fl ad
.Op Fl i Ar inode
.Op Fl o Ar outputfile
.Ar partition
.Sh DESCRIPTION
.Nm
allows recovery of deleted files by inspecting the inode table, listing of
deleted entries in a directory and dumping of data belonging to an inode.
.Pp
Generally, you would
.Xr umount 8
a filesystem from which you want to recover a deleted file, to avoid
overwriting data.
However, to recover a file with
.Nm
it is required that there is still a process that has the file open, to avoid
that the size and block numbers in the inode are cleared.
Therefore, it is necessary to keep the filesystem mounted.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl a
Iterate over the whole inode table.
Conflicts with
.Fl i Ar inode .
.It Fl d
List directory entries.
Tries to also list deleted entries.
.It Fl i Ar inode
Specify the inode.
Conflicts with
.Fl a .
.It Fl o Ar outputfile
Write the filedata of the inode to
.Ar outputfile .
Requires
.Fl i Ar inode .
Use filename - to write to stdout.
.El
.Pp
If neither
.Fl d
nor
.Fl o Ar outputfile
are specified, the default action is showing the inode content.
You must specify either
.Fl a
or
.Fl i Ar inode .
.Sh EXAMPLES
You can use
.Xr ls 1
to get the inode number of a directory:
.Pp
.Dl # ls -di example
.Dl 1671677 example
.Pp
Then use
.Nm
to list the directory and find the inode number of the deleted file:
.Pp
.Dl # dump_inode -di 1671677 sd1k
.Dl deleted:0 inode:1671677 type:d name:.
.Dl deleted:0 inode:10079295 type:d name:..
.Dl deleted:1 inode:1671678 type:f name:test
.Dl deleted:1 inode:0 type:u name:
.Pp
Otherwise, you can list directories starting from the filesystem root, which
has always inode number 2:
.Pp
.Dl # dump_inode -di 2 sd1k
.Dl deleted:0 inode:2 type:d name:.
.Dl deleted:0 inode:2 type:d name:..
.Dl deleted:0 inode:8303627 type:d name:tom
.Dl deleted:0 inode:522240 type:d name:_sysupgrade
.Dl deleted:0 inode:3 type:d name:lost+found
.Dl deleted:1 inode:1201152 type:d name:test
.Dl deleted:1 inode:8192 type:u name:
.Pp
Note, that the listing of deleted entries is based on heuristics and might be
spurious.
.Pp
If you cannot find the inode number of your file another way, you can try to
dump the whole inode table.
To identify your file, you need to filter for some criteria e.g. files that are
deleted but still open have nlink 0 but a size that is not 0:
.Pp
.Dl # dump_inode -a sd1k | grep nlink:0 | grep -v size:0
.Dl ...
.Dl inode:1671678 type:f mode:644 nlink:0 uid:1000 gid:1000 size:5 atime:1676817142 mtime:1676817121 ctime:1676817200
.Dl ...
.Pp
Note, that this data might not be written to disk yet and your inode still has
a nlink that is not 0.
You can force writeback to disk with
.Xr sync 8 .
.Pp
Once you got the inode of your file you can recover its data:
.Pp
.Dl # dump_inode -i 1671678 -o test sd1k
Reference in New Issue View Git Blame Copy Permalink