|
Ext4magic: Inode - Directory - Journal - Install - Time_Options - Histogram - Scenarios - Tips&Tricks - Manpage - Expert-Mode |
Directories represent a special file format. In the data blocks of a directory files are the file names and the corresponding inode numbers for all files in this directory. The concatenation of the directory files is finally the path where a file will be found in the file tree.
The data in the directory blocks are a table with the file name, the corresponding inode number and a flag that determines the file type. Each entry contains a hint where the next entry starts. In this way, all file names are linked together in the directory list. Deleted files are unlinked in this list and skipped when reading the file names of this directory.
Deleted file names and its inode numbers are included
between the undeleted entries in the directory data. The system
automatically cleans old deleted entries later step by
step.
Directory data are not always unique when restoring files.
The sum of deleted and undeleted entries can contain the same file
names multiple times or can have the same inode numbers. The result
can include multiple recovery of the same file or wrong file names.
It's also possible the inode number of a deleted file can not to be
found by file name.
The directory information will be displayed along with the inode when the inode is a directory and is not marked as deleted. For example, the current root directory of a file system images (the inode output is removed)
ROBI@LINUX:/tmp/test1 # ext4magic /home/rob/test/test.iso -I 2
.....
2 d 755 (2) 0 0 4096 24-Apr-2010 11:16 .
2 d 755 (2) 0 0 4096 24-Apr-2010 11:16 ..
11 d 700 (2) 0 0 16384 10-Dec-2009 19:36 lost+found
15 l 777 (7) 0 0 11 12-Apr-2010 19:20 link1
16 l 777 (7) 0 0 11 12-Apr-2010 19:20 link2
17 l 777 (7) 0 0 11 12-Apr-2010 19:20 link3
18 l 777 (7) 0 0 14 12-Apr-2010 19:20 link4
19 _ 644 (1) 0 0 524288000 24-Apr-2010 11:17 file3.sparse
< 20> _ 644 (1) 0 0 0 23-Apr-2010 20:50 file1.sparse
< 57350> d 755 (2) 0 0 0 10-Dec-2009 20:36 test8
12 _ 644 (1) 0 0 1601 10-Dec-2009 20:30 find
13 _ 644 (1) 0 0 7410 10-Dec-2009 20:35 find_ls
14 _ 644 (1) 0 0 29361 10-Dec-2009 20:35 find_stat
First column: Inode number, if this is included in "<>" the file is marked as deleted in the directory
Second column: Flag for the file type (from inode data)
Third column: Access rights in octal form
Fourth column: File type flag from directory entry
Fifth and sixth column: UserID and GroupID
Seventh column: File size. (Value may be incorrect, the inode match not always exactly in time)
Eigth column: mtime
Last column: File name
The example shows a root directory which has some files and links, a deleted directory and a deleted file. This directory is a current directory in the file system (no command line options open the journals). Note the raw directory data is displayed but also data from the linked inode of this directory, the time, size and the access rights can only found there.
The same inode with a journal option has the
following output. (Inode data removed)
ROBI@LINUX:/tmp/test1 # ext4magic /home/rob/test/test.iso -I 2 -T | sed -ne '/^ *2/,/^$/p'
2 d 755 (2) 0 0 4096 10-Dec-2009 20:30 .
2 d 755 (2) 0 0 4096 10-Dec-2009 20:30 ..
11 d 700 (2) 0 0 16384 10-Dec-2009 19:36 lost+found
8193 d 755 (2) 0 0 4096 10-Dec-2009 19:40 test1
16385 d 755 (2) 0 0 0 10-Dec-2009 20:36 test2
24577 d 755 (2) 0 0 0 10-Dec-2009 20:36 test3
40961 d 755 (2) 0 0 0 10-Dec-2009 20:36 test4
57345 d 755 (2) 0 0 0 10-Dec-2009 20:36 test5
49153 d 755 (2) 0 0 4096 10-Dec-2009 20:18 test6
16386 d 755 (2) 0 0 0 10-Dec-2009 20:36 test7
57350 d 755 (2) 0 0 0 10-Dec-2009 20:36 test8
12 _ 644 (1) 0 0 1601 10-Dec-2009 20:30 find
2 d 755 (2) 0 0 4096 10-Dec-2009 20:31 .
2 d 755 (2) 0 0 4096 10-Dec-2009 20:31 ..
11 d 700 (2) 0 0 16384 10-Dec-2009 19:36 lost+found
8193 d 755 (2) 0 0 4096 10-Dec-2009 19:40 test1
16385 d 755 (2) 0 0 0 10-Dec-2009 20:36 test2
24577 d 755 (2) 0 0 0 10-Dec-2009 20:36 test3
40961 d 755 (2) 0 0 0 10-Dec-2009 20:36 test4
57345 d 755 (2) 0 0 0 10-Dec-2009 20:36 test5
49153 d 755 (2) 0 0 0 10-Dec-2009 20:36 test6
16386 d 755 (2) 0 0 0 10-Dec-2009 20:36 test7
57350 d 755 (2) 0 0 0 10-Dec-2009 20:36 test8
12 _ 644 (1) 0 0 1601 10-Dec-2009 20:30 find
13 _ 644 (1) 0 0 7331 10-Dec-2009 20:31 find_ls
2 d 755 (2) 0 0 4096 10-Dec-2009 20:31 .
2 d 755 (2) 0 0 4096 10-Dec-2009 20:31 ..
11 d 700 (2) 0 0 16384 10-Dec-2009 19:36 lost+found
8193 d 755 (2) 0 0 4096 10-Dec-2009 19:40 test1
16385 d 755 (2) 0 0 0 10-Dec-2009 20:36 test2
24577 d 755 (2) 0 0 0 10-Dec-2009 20:36 test3
40961 d 755 (2) 0 0 0 10-Dec-2009 20:36 test4
57345 d 755 (2) 0 0 0 10-Dec-2009 20:36 test5
49153 d 755 (2) 0 0 0 10-Dec-2009 20:36 test6
16386 d 755 (2) 0 0 0 10-Dec-2009 20:36 test7
57350 d 755 (2) 0 0 0 10-Dec-2009 20:36 test8
12 _ 644 (1) 0 0 1601 10-Dec-2009 20:30 find
13 _ 644 (1) 0 0 7410 10-Dec-2009 20:35 find_ls
14 _ 644 (1) 0 0 29361 10-Dec-2009 20:31 find_stat
2 d 755 (2) 0 0 4096 10-Dec-2009 20:36 .
2 d 755 (2) 0 0 4096 10-Dec-2009 20:36 ..
11 d 700 (2) 0 0 16384 10-Dec-2009 19:36 lost+found
< 8193> d 755 (2) 0 0 0 10-Dec-2009 20:36 test1
< 16385> d 755 (2) 0 0 0 10-Dec-2009 20:36 test2
< 24577> d 755 (2) 0 0 0 10-Dec-2009 20:36 test3
< 40961> d 755 (2) 0 0 0 10-Dec-2009 20:36 test4
< 57345> d 755 (2) 0 0 0 10-Dec-2009 20:36 test5
< 49153> d 755 (2) 0 0 0 10-Dec-2009 20:36 test6
< 16386> d 755 (2) 0 0 0 10-Dec-2009 20:36 test7
< 57350> d 755 (2) 0 0 0 10-Dec-2009 20:36 test8
12 _ 644 (1) 0 0 1601 10-Dec-2009 20:30 find
13 _ 644 (1) 0 0 7410 10-Dec-2009 20:35 find_ls
14 _ 644 (1) 0 0 29361 10-Dec-2009 20:35 find_stat
2 d 755 (2) 0 0 4096 24-Apr-2010 11:16 .
2 d 755 (2) 0 0 4096 24-Apr-2010 11:16 ..
11 d 700 (2) 0 0 16384 10-Dec-2009 19:36 lost+found
15 l 777 (7) 0 0 11 12-Apr-2010 19:20 link1
16 l 777 (7) 0 0 11 12-Apr-2010 19:20 link2
17 l 777 (7) 0 0 11 12-Apr-2010 19:20 link3
18 l 777 (7) 0 0 14 12-Apr-2010 19:20 link4
19 _ 644 (1) 0 0 524288000 24-Apr-2010 11:17 file3.sparse
< 20> _ 644 (1) 0 0 0 23-Apr-2010 20:50 file1.sparse
< 57350> d 755 (2) 0 0 0 10-Dec-2009 20:36 test8
12 _ 644 (1) 0 0 1601 10-Dec-2009 20:30 find
13 _ 644 (1) 0 0 7410 10-Dec-2009 20:35 find_ls
14 _ 644 (1) 0 0 29361 10-Dec-2009 20:35 find_statFollowing example shows a piece of version history of this directory. "test1/" to "test7/" were deleted some time ago but there exists no trace in the current directory for them. Even the directories were deleted a long time ago directory data can be found when the journal is searched for inode data.
ROBI@LINUX:/tmp/test1 # ext4magic /home/rob/test/test.iso -I 8193 -T | sed -ne '/^ *8193/,/^$/p'
8193 d 755 (2) 0 0 4096 10-Dec-2009 19:40 .
2 d 755 (2) 0 0 4096 10-Dec-2009 20:36 ..
8194 _ 777 (1) 1000 100 6 10-Dec-2009 19:40 file1
< 8195> _ 777 (1) 1000 100 6 10-Dec-2009 19:40 file2
8196 _ 777 (1) 1000 100 6 10-Dec-2009 19:40 file3
8197 _ 777 (1) 1000 100 6 10-Dec-2009 19:40 file4
8193 d 755 (2) 0 0 4096 10-Dec-2009 20:36 .
2 d 755 (2) 0 0 4096 10-Dec-2009 20:36 ..
8194 _ 777 (1) 1000 100 0 10-Dec-2009 20:36 file1
< 8195> _ 777 (1) 1000 100 6 10-Dec-2009 19:40 file2
8196 _ 777 (1) 1000 100 0 10-Dec-2009 20:36 file3
8197 _ 777 (1) 1000 100 0 10-Dec-2009 20:36 file4It is possible that greater differences are in the output of large directories with or without a journal option. Without journal option, ext4magic uses the functions of libext2fs. If using a journal option, then modified functions of ext4magic are used. The difference arises because, the ext4magic internal functions will skip blocks in which HTREE data. These blocks are only deleted redundant entries, which often completely out of date and often results this HTREE data in problems when recover the files. If in doubt, the output of the directory data with a journal option, is "the more correct"
|
Ext4magic: Inode - Directory - Journal - Install - Time_Options - Histogram - Scenarios - Tips&Tricks - Manpage - Expert-Mode |