DOCSLIB.ORG

Cluster-Slack Retention Characteristics: a Study of the NTFS Filesystem

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cluster-Slack Retention Characteristics: a Study of the NTFS Filesystem Department of Computer Science Zak Blacher Cluster-Slack Retention Characteristics: A Study of the NTFS Filesystem Master's Thesis D2010:06 Cluster-Slack Retention Characteristics: A Study of the NTFS Filesystem Zak Blacher c 2010 The author and Karlstad University This thesis is submitted in partial fulfillment of the requirements for the Masters degree in Computer Science. All material in this thesis which is not my own work has been identified and no mate- rial is included for which a degree has previously been conferred. Zak Blacher Approved, 10th June, 2010 Advisor: Thijs Holleboom Examiner: Donald Ross iii Abstract This paper explores the statistical properties of microfragment recovery techniques used on NTFS filesystems in the use of digital forensics. A microfragment is the remnant file-data existing in the cluster slack after this file has been overwritten. The total amount of cluster slack is related to the size distribution of the overwriting files as well as to the size of cluster. Experiments have been performed by varying the size distributions of the overwriting files as well as the cluster sizes of the partition. These results are then compared with existing analytical models. v Acknowledgements I would like to thank my supervisors Thijs Holleboom and Johan Garcia for their support in the creation of this document. I would very much like to thank Anja Fischer for her help proofreading and formatting this document, and to Thijs for providing some of the graphics used to demonstrate these models. I would also like to thank Johan Garcia and Tomas Hall for providing the C and C++ code used to generate and count the file fragments. Additionally, I would like to thank the community at #windows on irc.freenode.net for their help and pointers in understanding and making sense of the NTFS filesystem. I would also like to thank the Microsoft Corporation (R) for the creation of the NTFS filesystem. vii Contents 1 Introduction 1 1.1 Introduction . 1 1.2 F.I.V.E.S. 2 1.3 Units . 2 2 Background 3 2.1 Introduction . 3 2.2 Digital Forensics . 3 2.3 Hard Drive Structure . 4 2.3.1 Files and File Distributions . 5 2.3.2 Microfragment Analysis . 6 2.3.3 NTFS . 8 2.3.4 Expected Microfragment Distribution . 9 2.4 Overview of the Microfragment Analysis Model . 10 2.4.1 Fixed Distribution . 11 2.4.2 Uniform Distribution . 11 2.4.3 Exponential Distribution . 12 3 Experiments 15 3.1 Introduction . 15 ix 3.1.1 Testbed . 16 3.2 findGenFrag Experiments . 16 3.2.1 'File Size Distribution' Test . 16 3.2.2 'Cluster Size Distribution' Test . 20 3.2.3 '30 Repetitions' Test . 22 3.2.4 'Rolling Hash' Tests . 24 3.3 Summary . 25 4 Results 27 4.1 Introduction . 27 4.2 findGenFrag Results . 28 4.2.1 'File Size Distribution' Test . 28 4.2.2 'Cluster Size Distribution' Test . 29 4.2.3 '30 Repetitions' Test . 32 4.2.4 'Rolling Hash' Tests . 35 4.3 Summary . 39 5 Conclusion 41 5.1 Microfragment Collection . 41 5.2 Future Work . 41 References 43 A 45 A.1 Graph Data . 45 A.1.1 Uniform Distribution Calculations . 45 A.1.2 'File Size Distribution' Test . 46 A.1.3 'Cluster Size Distribution' Test . 46 A.1.4 '30 Repetitions' Test . 49 x A.1.5 'Rolling Hash' Tests . 49 A.2 Fragment Analysis . 51 A.2.1 findGenFrag.c . 51 A.2.2 genDistrFile.c . 53 A.3 Python Scripts . 64 A.3.1 script2.py . 64 A.3.2 script rh.py . 67 A.4 Extension & Misc Functions . 69 A.4.1 OpenOffice Graph Export Macro . 69 A.4.2 extension-functions.c . 71 xi List of Figures 2.1 Hard Drive Structure . 4 2.2 Windows XP Default File Distribution . 6 2.3 Cluster Slack Example . 7 3.1 Cluster Size v. Slack Recovery . 20 4.1 Cluster Size Distribution Test . 28 4.2 Tail Overlap Example . 29 4.3 Cluster Size Test (rf param v. cluster size) . 30 4.4 Cluster Size Test (cluster size v. rf param) . 31 4.5 Cluster Size Test (Microfragment Recovery) . 32 4.6 Repetitions 4096 Test (Uniform v. Exponential) . 33 4.7 Repetitions 4096 Test . 34 4.8 Recovered Microfragments (Experimental v. Analytical) . 34 4.9 Size Distribution Tests Comparison (Hashes v. Fragments) . 35 4.10 Size Distribution Tests (Hashes by Cluster Size) . 36 4.11 Cluster Size Tests (Rolling Hash) . 36 4.12 Cluster Size Tests (Ratio Demonstration) . 37 4.13 Microfragment v. Hash Ratios . 38 4.14 Microfragment Detection Results . 39 xiii List of Tables 2.1 NTFS Feature List . 9 A.1 'Uniform Probability' graph data . 45 A.2 'File Size Distribution' graph data . 46 A.3 'Cluster Size Distribution' graph data . 48 A.4 '30 Repetitions' graph data . 49 xv Chapter 1 Introduction 1.1 Introduction This chapter will present a brief overview as to the goal of this thesis as well as provide an introduction to the FIVES project and the units used within this document. The purpose of this dissertation is to explore and quantify the results that come from the microfragment analysis of an NTFS volume. If these results prove consistent and reliable, then the use of tail slack inspection (explained in Chapter 2) can be seen as a viable means of forensic file fingerprint recovery. This document will perform a series of microfragment analysis tests (expanded upon in Chapter 3) and compare the results with the models described in reference [1], 'Fragment Retention Characteristics in Slack Space.' Two tests have been additionally designed to compare the matching abilities of microfragment analysis with that of rolling hash block recovery, a more traditional approach used in digital forensics. 1 2 CHAPTER 1. INTRODUCTION 1.2 F.I.V.E.S. The goal of the Forensic Image and Video Examination Support project[2] is to develop a set of automated investigative tools to be used in conjunction with law enforcement agencies to assist in the detection of data. The role of microfragment matching is useful in demonstrating the previous existence of offending files on a device, and is the central aspect of the FIVES toolkit. The basis of the experiments performed in Chapter 3 will be the demonstration of the precision and effectiveness of these tools. FIVES is a targeted project within the Safer Internet Program[3]. 1.3 Units The standard block size in this document is 512 x 8 bit bytes. All units measured refer to the IEC binary unit unless otherwise specified. Efforts have been made to use the notation kibibyte (210 bytes) and its abbreviation 'KiB' instead of the SI defined kilobyte (103 bytes) and it's respective abbreviation 'Kb'. Multiples of the IEC unit are mebibytes (MiB) and gibibites (GiB) which are 220 and 230 bytes respectively. More about these units can be found on the Wikipedia entry page for kilobyte[4]. This notation has not yet met widespread acceptance into the technical vernacular, and a few different standards are accepted in various computer related fields. However, in this dissertation it is important to differentiate between the SI and the IEC units as certain calculations are performed using numbers from both bases. Chapter 2 Background 2.1 Introduction The purpose of this chapter is to expand upon the motivation behind this thesis; the analysis of distributed files and detection of remnant data. To this end, this chapter will briefly introduce the concept of digital forensics, provide a basic overview of traditional hard drive construction and describe the process in which microfragments are generated. Furthermore, it will provide a comprehensive description of the NT filesystem features, a graphic demonstrating the general trend for file sizes on a typical NTFS partition, and finally a restatement of the formulas for calculating the expected appearance of microfrag- ments on a device. 2.2 Digital Forensics In contrast with criminal forensics, the goal of digital forensics is to explain the state of the digital artifact rather than determine the cause. The current implementations of forensic file recovery involve taking a full snapshot of a hard disk or device, and performing an analysis on either the unallocated area or 3 4 CHAPTER 2. BACKGROUND on the full volume. The goal of these methods is the attempt to recover metadata and unreallocated sectors from deleted files. From the deleted sectors, it is possible to extract parts of the underlying data, but the idea of fully recovering overwritten data is infeasible, as the magnetic media does not retain any history. 2.3 Hard Drive Structure Traditionally, storage has been expressed in terms of cylinder, head, and sector count tuples (CHS). A typical hard drive is composed of several rotating platters. Each face of each platter is divided into concentric rings called cylinders. These cylinders are further divided into arc-sections called blocks, and these blocks typically store 512 bytes of data. Each face of the each platter has a separate read head that floats just above the surface. The read seeks to a cylinder, and captures data from the chosen block. Often these devices would capture many blocks at a time (see figure 2.1. Figure 2.1: Hard Drive Physical Structure 2.3. HARD DRIVE STRUCTURE 5 For example, a floppy disk reports 80 cylinders, 2 heads, and 18 sectors of 512 bytes each1. 80 ∗ 2 ∗ 18 ∗ 512B = 1474560B = 1440 KiB, which is the standard capacity for a high-density floppy diskette2. This notation is not without problems, however. The original Master Boot Record specifications allowed 16 bits of information to represent 1024 cylinders, 255 heads, and 64 sectors[5], limiting devices to approximately 8.4 GiB.
Load more

Recommended publications
  • LS-09EN. OS Permissions. SUID/SGID/Sticky. Extended Attributes
    Operating Systems LS-09. OS Permissions. SUID/SGID/Sticky. Extended Attributes. Operating System Concepts 1.1 ys©2019 Linux/UNIX Security Basics Agenda ! UID ! GID ! Superuser ! File Permissions ! Umask ! RUID/EUID, RGID/EGID ! SUID, SGID, Sticky bits ! File Extended Attributes ! Mount/umount ! Windows Permissions ! File Systems Restriction Operating System Concepts 1.2 ys©2019 Domain Implementation in Linux/UNIX ! Two types domain (subjects) groups ! User Domains = User ID (UID>0) or User Group ID (GID>0) ! Superuser Domains = Root ID (UID=0) or Root Group ID (root can do everything, GID=0) ! Domain switch accomplished via file system. ! Each file has associated with it a domain bit (SetUID bit = SUID bit). ! When file is executed and SUID=on, then Effective UID is set to Owner of the file being executed. When execution completes Efective UID is reset to Real UID. ! Each subject (process) and object (file, socket,etc) has a 16-bit UID. ! Each object also has a 16-bit GID and each subject has one or more GIDs. ! Objects have access control lists that specify read, write, and execute permissions for user, group, and world. Operating System Concepts 1.3 ys©2019 Subjects and Objects Subjects = processes Objects = files (regular, directory, (Effective UID, EGID) devices /dev, ram /proc) RUID (EUID) Owner permissions (UID) RGID-main (EGID) Group Owner permissions (GID) +RGID-list Others RUID, RGID Others ID permissions Operating System Concepts 1.4 ys©2019 The Superuser (root) • Almost every Unix system comes with a special user in the /etc/passwd file with a UID=0. This user is known as the superuser and is normally given the username root.
    [Show full text]
  • Sistemas De Archivos
    Sistemas de archivos Gunnar Wolf IIEc-UNAM Esteban Ruiz CIFASIS-UNR Federico Bergero CIFASIS-UNR Erwin Meza UNICAUCA Índice 1. Plasmando la estructura en el dispositivo1 1.1. Conceptos para la organización...................2 1.2. Diferentes sistemas de archivos...................4 1.3. El volumen..............................4 1.4. El directorio y los i-nodos......................6 1.5. Compresión y desduplicación .................... 11 2. Esquemas de asignación de espacio 14 2.1. Asignación contigua......................... 14 2.2. Asignación ligada........................... 15 2.3. Asignación indexada......................... 16 2.4. Las tablas en FAT.......................... 18 3. Fallos y recuperación 20 3.1. Datos y metadatos.......................... 22 3.2. Vericación de la integridad..................... 22 3.3. Actualizaciones suaves (soft updates)................ 23 3.4. Sistemas de archivo con bitácora (journaling le systems).... 24 3.5. Sistemas de archivos estructurados en bitácora (log-structured le systems)................................ 25 4. Otros recursos 26 1. Plasmando la estructura en el dispositivo A lo largo del capítulo ?? se presentaron los elementos del sistema de archivos tal como son presentados al usuario nal, sin entrar en detalles respecto a cómo organiza toda esta información el sistema operativo en un dispositivo persistente 1 Mencionamos algunas estructuras base, pero dejándolas explícitamente pen- dientes de denición. En este capítulo se tratarán las principales estructuras y mecanismos empleados
    [Show full text]
  • Wikipedia: Design of the FAT File System
    Design of the FAT file system A FAT file system is a specific type of computer file system architecture and FAT a family of industry-standard file systems utilizing it. Developer(s) Microsoft, SCP, IBM, [3] The FAT file system is a legacy file system which is simple and robust. It Compaq, Digital offers good performance even in very light-weight implementations, but Research, Novell, cannot deliver the same performance, reliability and scalability as some Caldera modern file systems. It is, however, supported for compatibility reasons by Full name File Allocation Table: nearly all currently developed operating systems for personal computers and FAT12 (12- many home computers, mobile devices and embedded systems, and thus is a bit version), well suited format for data exchange between computers and devices of almost FAT16 (16- any type and age from 1981 through the present. bit versions), Originally designed in 1977 for use on floppy disks, FAT was soon adapted and FAT32 (32-bit version used almost universally on hard disks throughout the DOS and Windows 9x with 28 bits used), eras for two decades. Today, FAT file systems are still commonly found on exFAT (64- floppy disks, USB sticks, flash and other solid-state memory cards and bit versions) modules, and many portable and embedded devices. DCF implements FAT as Introduced 1977 (Standalone the standard file system for digital cameras since 1998.[4] FAT is also utilized Disk BASIC-80) for the EFI system partition (partition type 0xEF) in the boot stage of EFI- FAT12: August 1980 compliant computers. (SCP QDOS) FAT16: August 1984 For floppy disks, FAT has been standardized as ECMA-107[5] and (IBM PC DOS 3.0) ISO/IEC 9293:1994[6] (superseding ISO 9293:1987[7]).
    [Show full text]
  • I. ELECTRONIC DISCOVERY: DEFINITIONS and USES A. What
    I. ELECTRONIC DISCOVERY: DEFINITIONS AND USES A. What Is Electronic Discovery? Electronic discovery includes requests for and production of information that is stored in digital form.1 In short, electronic discovery is the discovery of electronic documents and data.2 Electronic documents include virtually anything that is stored on a computer such as e-mail, web pages, word processing files, and computer databases.3 Electronic records can be found on a wide variety of devices such as desktop and laptop computers, network servers, personal digital assistants and digital phones.4 Documents and data are "electronic" if they exist in a medium that can only be read by using computers such as cache memory, magnetic disks (for example computer hard drives or floppy disks), optical disks (for example DVDs or CDs), and magnetic tapes.5 Electronic discovery is frequently distinguished from traditional "paper discovery," which is the discovery of writings on paper that can be read without the assistance of computers.6 B. Why E-Discovery Can Be Valuable in Litigation With the advancement of technology, electronic discovery is not only valuable in litigation, it is essential. Electronic evidence is affecting virtually every investigation today whether it is criminal or civil.7 Usually, there are no longer "paper- trails" that establish who did what and when.8 Instead, electronic evidence is providing the clues to understanding what actually happened.9 Consider these statistics regarding the electronic evidence explosion: · "In 2002, the International Data Corporation estimated that 31 billion e-mails were sent daily. This number is expected to grow to 60 billion a day by 2006.
    [Show full text]
  • Ext4 Disk Layout - Ext4 Hps://Ext4.Wiki.Kernel.Org/Index.Php/Ext4 Disk Layout
    Ext4 Disk Layout - Ext4 hps://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout Ext4 Disk Layout From Ext4 is document aempts to describe the on-disk format for ext4 filesystems. e same general ideas should apply to ext2/3 filesystems as well, though they do not support all the features that ext4 supports, and the fields will be shorter. NOTE: is is a work in progress, based on notes that the author (djwong) made while picking apart a filesystem by hand. e data structure definitions were pulled out of Linux 3.11 and e2fsprogs-1.42.8. He welcomes all comments and corrections, since there is undoubtedly plenty of lore that doesn't necessarily show up on freshly created demonstration filesystems. Contents 1 Terminology 2 Overview 2.1 Blocks 2.2 Layout 2.3 Flexible Block Groups 2.4 Meta Block Groups 2.5 Lazy Block Group Initialization 2.6 Special inodes 2.7 Block and Inode Allocation Policy 2.8 Checksums 2.9 Bigalloc 2.10 Inline Data 2.10.1 Inline Directories 3 e Super Block 4 Block Group Descriptors 5 Block and inode Bitmaps 6 Inode Table 6.1 Finding an Inode 6.2 Inode Size 6.3 Inode Timestamps 7 e Contents of inode.i_block 7.1 Symbolic Links 1 of 43 10/21/2013 10:43 PM Ext4 Disk Layout - Ext4 hps://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout 7.2 Direct/Indirect Block Addressing 7.3 Extent Tree 7.4 Inline Data 8 Directory Entries 8.1 Linear (Classic) Directories 8.2 Hash Tree Directories 9 Extended Aributes 9.1 POSIX ACLs 10 Multiple Mount Protection 11 Journal (jbd2) 11.1 Layout 11.2 Block Header 11.3 Super Block 11.4 Descriptor Block 11.5 Data Block 11.6 Revocation Block 11.7 Commit Block 12 Areas in Need of Work 13 Other References Terminology ext4 divides a storage device into an array of logical blocks both to reduce bookkeeping overhead and to increase throughput by forcing larger transfer sizes.
    [Show full text]
  • File Allocation Table - Wikipedia, the Free Encyclopedia Page 1 of 22
    File Allocation Table - Wikipedia, the free encyclopedia Page 1 of 22 File Allocation Table From Wikipedia, the free encyclopedia File Allocation Table (FAT) is a file system developed by Microsoft for MS-DOS and is the primary file system for consumer versions of Microsoft Windows up to and including Windows Me. FAT as it applies to flexible/floppy and optical disc cartridges (FAT12 and FAT16 without long filename support) has been standardized as ECMA-107 and ISO/IEC 9293. The file system is partially patented. The FAT file system is relatively uncomplicated, and is supported by virtually all existing operating systems for personal computers. This ubiquity makes it an ideal format for floppy disks and solid-state memory cards, and a convenient way of sharing data between disparate operating systems installed on the same computer (a dual boot environment). The most common implementations have a serious drawback in that when files are deleted and new files written to the media, directory fragments tend to become scattered over the entire disk, making reading and writing a slow process. Defragmentation is one solution to this, but is often a lengthy process in itself and has to be performed regularly to keep the FAT file system clean. Defragmentation should not be performed on solid-state memory cards since they wear down eventually. Contents 1 History 1.1 FAT12 1.2 Directories 1.3 Initial FAT16 1.4 Extended partition and logical drives 1.5 Final FAT16 1.6 Long File Names (VFAT, LFNs) 1.7 FAT32 1.8 Fragmentation 1.9 Third party
    [Show full text]
  • Creating Highly Specialized Fragmented File System Data Sets
    CREATING HIGHLY SPECIALIZED FRAGMENTED FILE SYSTEM DATA SETS FOR FORENSIC RESEARCH A Thesis Presented in Partial Fulfillment of the Requirements for the Degree of Master of Science with a Major in Computer Science in the College of Graduate Studies at University of Idaho by Douglas Drobny May 2014 Major Professor: Jim Alves-Foss, Ph.D. ii AUTHORIZATION TO SUBMIT THESIS This thesis of Douglas Drobny, submitted for the degree of Master of Science with a Major in Computer Science and titled \Creating Highly Specialized Fragmented File System Data Sets for Forensic Research", has been reviewed in final form. Permission, as indicated by the signatures and dates given below, is now granted to submit final copies to the College of Graduate Studies for approval. Major Professor Date Dr. Jim Alves-Foss Committee members Date Dr. Paul Oman Date Dr. Marty Ytreberg Computer Science Department Administrator Date Dr. Gregory Donohoe Discipline's College Dean, College of Engineering Date Dr. Larry Stauffer Final Approval and Acceptance by the College of Graduate Studies Date Dr. Jie Chen iii ABSTRACT File forensic tools examine the contents of a system's disk storage to analyze files, detect infections, examine account usages and extract information that the system's operating system cannot or does not provide. In cases where the file system is not available, or information is believed to be outside of the file system, a file carver can be used to extract files. File carving is the process of extracting information from an entire disk without metadata. This thesis looks at the effects of file fragmentation on forensic file carvers.
    [Show full text]
  • Forensic File Carving Tool Test Assertions and Test Plan
    April 2014 Forensic File Carving Tool Test Assertions and Test Plan Draft Version 1.0 for Public Comment Draft for Comment FC-atp-public-draft-01-of-ver-01.docx ii 4/7/2014 9:33 AM DRAFT Draft for Internal Comment DRAFT Abstract This document defines test assertions and test cases for digital file carving forensic tools that extract and reconstruct files without examination of file system metadata. The specification is limited to tools that identify inaccessible (deleted or embedded) files from file data content. Such tools exploit the unique data signatures of certain file types to identify starting and ending data blocks of these file types. In addition, file system allocation policies often keep file data blocks contiguous and sequential. For such contiguous sequential block placement identification of starting and ending data blocks may be sufficient to carve complete files. In other non-contiguous or non-sequential block placement, file reconstruction by carving is problematic. As this document evolves updated versions will be posted at http://www.cftt.nist.gov FC-atp-public-draft-01-of-ver-01.docx iii 4/7/2014 9:33 AM DRAFT Draft for Internal Comment DRAFT FC-atp-public-draft-01-of-ver-01.docx iv 4/7/2014 9:33 AM DRAFT Draft for Internal Comment DRAFT TABLE OF CONTENTS Abstract .............................................................................................................................. iii 1 Introduction ..................................................................................................................
    [Show full text]
  • Byteprints: a Tool to Gather Digital Evidence
    Byteprints: A Tool to Gather Digital Evidence Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan Department of Computer Science University of Texas at Dallas Richardson, TX 75083-0688. ginss, ksrini ¡ @student.utdallas.edu, [email protected] Abstract like TLDP’s Linux Ext2fs Undeletion mini-HOWTO [4], ext2fs/debugfs [8] provide information about how to find In this paper, we present techniques to recover useful in- data that is otherwise hidden to the file system. Open formation from disk drives that are used to store user data. source utilities like unrm and lazarus found in The Coro- The main idea is to use a logging mechanism to record the ner’s Toolkit [5] have been developed for recovering deleted modifications to each disk block, and then employ fast algo- Unix files. rithms to reconstruct the contents of a file (or a directory) as The above-mentioned utilities take advantage of the it existed sometime in the past. Such a consistent snapshot availability of remnants of deleted files in various sectors of of a file may be used to determine whether a given file ever the hard disk to recover useful information. However, these existed on disk, to undelete a file that was deleted long ago, techniques are not very effective when the data in the hard or to obtain a timeline of activities on a file. This can also disk is overwritten. Overwriting data may be viewed as cre- be used to validate that a file with given contents existed at ating a new “layer” of bytes over the existing layer of data some time in the past or to refute a claim that a file existed in in the hard disk.
    [Show full text]
  • The Second Extended File System Internal Layout
    The Second Extended File System Internal Layout Dave Poirier <[email protected]> The Second Extended File System: Internal Layout by Dave Poirier Copyright © 2001-2019 Dave Poirier Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license can be acquired electronically from http://www.fsf.org/licenses/fdl.html or by writing to 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Table of Contents About this book ............................................................................................................... viii 1. Historical Background ...................................................................................................... 1 2. Definitions ..................................................................................................................... 2 Blocks ....................................................................................................................... 2 Block Groups ............................................................................................................. 3 Directories ................................................................................................................. 3 Inodes ....................................................................................................................... 3
    [Show full text]
  • Unboundid Directory Server Administration Guide
    UnboundID® Directory Server Administration Guide Version 3.5 UnboundID Corp 13809 Research Blvd, Suite 500 Austin, Texas, 78750 Tel: +1 512.600.7700 Email: [email protected] Copyright This document constitutes an unpublished, copyrighted work and contains valuable trade secrets and other confidential information belonging to UnboundID Corporation. None of the foregoing material may be copied, duplicated, or disclosed to third parties without the express written permission of UnboundID Corporation. This distribution may include materials developed by third parties. Third-party URLs are also referenced in this document. UnboundID is not responsible for the availability of third-party web sites mentioned in this document. UnboundID does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. UnboundID will not be responsible or liable for any actual or alleged damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through such sites or resources. “UnboundID” is a registered trademark of UnboundID Corporation. UNIX is a registered trademark in the United States and other countries, licenses exclusively through The Open Group. All other registered and unregistered trademarks in this document are the sole property of their respective owners. The contents of this publication are presented for information purposes only and is provided “as is”. While every effort has been made to ensure the accuracy of the contents, the contents are not to be construed as warranties or guarantees, expressed or implied, regarding the products or services described herein or their use or applicability.
    [Show full text]
  • Linux Ext2fs Undeletion Mini-HOWTO
    Linux Ext2fs Undeletion mini-HOWTO Aaron Crane, [email protected] v1.3, 2 F´evrier 1999 (Adaptation fran¸caisepar Miodrag Vallat <mailto:[email protected]> , anciennement par G´eraud Canet <mailto:[email protected]> et Sylviane Regnault <mailto:[email protected]. u-bordeaux.fr> ). Imaginez un peu. Vous avez pass´eles trois derniers jours sans dormir, sans manger, sans mˆeme prendre une douche. Votre bidouillomanie compulsive a enfin port´eses fruits : vous avez achev´ece programme qui vous apportera gloire et admiration du monde entier. Allez, plus qu’`aarchiver tout ¸caet l’envoyer `aMetalab. Ah, et puis virer toutes ces sauvegardes automatiques d’Emacs. Alors vous tapez rm * ~. Et, trop tard, vous remarquez l’espace en trop. Vous avez d´etruit votre oeuvre maˆıtresse ! Mais, heureusement, vous avez de l’aide `aport´eede main. Ce document pr´esente une discussion de la r´ecup´eration de fichiers supprim´esdepuis le Second syst`emede fichiers ´etendu ext2fs. Esp´erez,peut-ˆetrepourrez-vous distribuer votre programme malgr´e tout... Contents 1 Introduction 2 1.1 Historique des r´evisions ....................................... 2 1.1.1 Nouveaut´es de la version 1.1 ................................ 3 1.1.2 Nouveaut´es de la version 1.2 ................................ 3 1.1.3 Nouveaut´es de la version 1.3 ................................ 3 1.2 O`utrouver ce document ....................................... 3 2 Comment ne pas supprimer de fichiers 4 3 A` quel taux de r´ecup´eration puis-je m’attendre ? 5 4 Bon, alors comment je r´ecup`ereun fichier ? 6 5 D´emonter le syst`eme de fichiers 6 6 Pr´eparer la modification directe des inodes 7 7 Pr´eparer l’´ecriture`aun autre endroit 7 8 Trouver les inodes supprim´es 8 9 Obtenir des d´etails sur les inodes 9 10 R´ecup´ererles blocs de donn´ees 10 10.1 Les fichiers courts ..........................................
    [Show full text]