DragonFly users List (threaded) for 2009-08
DragonFly BSD
DragonFly users List (threaded) for 2009-08
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Forensics tools for HammerFS


From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 10 Aug 2009 07:43:23 -0700 (PDT)

:HI,
:
:Are there any current Forensic tools that will work with a hammerfs
:disk image amde by dd?
:I guess sleuthkit and autopsy wont work.
:And what is the best way to undelete a file from hammerfs for which no
:snapshots are configured?
:
:Thanks
:
:--Siju

    'hammer -f <device> show' will dump the media structures.

    undo -i <filename> will locate any retained history for a file or
    prior incarnation of a file, if it exists.  If no snapshots have been
    made yet but the filesystem is mounted normally (not mounted 'nohistory'),
    then there should be history associated with it.

    When you start making snapshots any fine-grained history beyond the first
    snapshot is lost (pruned out by the snapshots).

    Trying to find old file data on-media is possible but without any
    meta-data to point at it the best you can do is to try to pick it out
    of the disk image.

    The default is to run daily snapshots (they are put in <fs>/snapshots).
    The system's daily cron usually does that automatically.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]