DragonFly users List (threaded) for 2009-08
Re: Forensics tools for HammerFS
:Are there any current Forensic tools that will work with a hammerfs
:disk image amde by dd?
:I guess sleuthkit and autopsy wont work.
:And what is the best way to undelete a file from hammerfs for which no
:snapshots are configured?
'hammer -f <device> show' will dump the media structures.
undo -i <filename> will locate any retained history for a file or
prior incarnation of a file, if it exists. If no snapshots have been
made yet but the filesystem is mounted normally (not mounted 'nohistory'),
then there should be history associated with it.
When you start making snapshots any fine-grained history beyond the first
snapshot is lost (pruned out by the snapshots).
Trying to find old file data on-media is possible but without any
meta-data to point at it the best you can do is to try to pick it out
of the disk image.
The default is to run daily snapshots (they are put in <fs>/snapshots).
The system's daily cron usually does that automatically.