Re: recovery from 'rm -rf /'

From: Martijn Lina (martijn@medialab.lostboys.nl)
Date: 10/04/01 

Date: Thu, 4 Oct 2001 13:22:56 +0200
From: Martijn Lina <martijn@medialab.lostboys.nl>
To: freebsd-security@freebsd.org

Once upon a 04-10-2001, Sheldon Hearn hit keys in the following order:
>=20
> > first of all, be sure that absolutely nothing is writing to the disk
> > anymore. the inodes that have been freed last, will be the first to be
> > used again.
>=20
> Are you sure about that?

pretty sure. Wietse Venema said that in a Dr. Dobb's journal:

        For all intents and purposes, when you delete a file with
        "rm" it is gone. Once you "rm" a file, the system totally
        forgets which blocks scattered around the disk were part
        of your file. Even worse, the blocks from the file you
        just deleted are going to be the first ones taken and
        scribbled upon when the system needs more disk space.

http://www.ddj.com/articles/2000/0012/0012h/0012h.htm

i think it's because of better performance. if the system has no info about
which inodes are free to write to, it would have to look on the disc which =
one
can be used. if inodes are deleted, the system would benifit from keeping
references of those unallocated inodes in memory, so it wouldn't have to lo=
ok
on the disc. saves time...

some other links to similar articles can be found here:

http://www.fish.com/forensics/

just when i was in search of that article, i found tctutils, an extention to
Wietse's tct which might be usefull:

http://www.cerias.purdue.edu/homes/carrier/forensics/

martijn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: [PATCH] Prevent large file writeback starvation
    ... that need more work only after all the other inodes have been written out. ... So now dirty inodes can be on one of three ... It'll be fun writing the changelog for this one. ... I wonder if it would be saner to have separate lists for expired and ...
    (Linux-Kernel)
  • Re: do_sync() and XFSQA test 182 failures....
    ... Currently we iterate inodes for data and "metadata" sync, ... only other concept is writing superblocks. ...
    (Linux-Kernel)
  • Re: recovery from rm -rf /
    ... freed disk blocks went into a LIFO list so the last ... freed inodes are cached in the super-block (further freed inodes were ... inodes would be be allocated by searching the inode list for free ... avoiding writing anything to disk is good advice. ...
    (FreeBSD-Security)
  • Re: recovery from rm -rf /
    ... be sure that absolutely nothing is writing to the disk ... > anymore. ... the inodes that have been freed last, will be the first to be ...
    (FreeBSD-Security)
Quantcast