Solved Recover/Clear Data from ZFS on USB Device.

MrPollard

New Member


Messages: 6

Hey, I have a usb device that is formatted to ZFS and I am looking to first View the data on the device and then clear it if necessary.

I was drawn to using FreeBSD because of the native ZFS support out of the box, and I have an instance running in a Virtualbox VM.

I have installed usbutils and the the virtualbox extensions pack, is there any specific method to verify BSD can see the USB device? I ran zpool list and zpool import, but neither return any results, I'm unfamiliar with the zfs workflow. Should I be creating a pool and trying to import the zfs device into the pool to view its data? Any help much appreciated.
 

ralphbsz

Daemon

Reaction score: 1,169
Messages: 1,885

If the storage device has ZFS data on it, it is part of a pool. So don't create a new pool.

First question: Can you actually see the device in hardware, as a block device? When you attach it, are there entries in dmesg telling you that it was found? What block devices /dev/*da* do you have? My suspicion is that the storage device is not actually connected to the FreeBSD OS you are running. Also try running usbconfig, and see whether the device is visible there. Here is some example output from my system, and it is easy to spot the disk drive:
Code:
ugen5.1: <Intel UHCI root HUB> at usbus5, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen4.1: <0x1b21 XHCI root HUB> at usbus4, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=SAVE (0mA)
ugen3.1: <Intel EHCI root HUB> at usbus3, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen2.1: <Intel UHCI root HUB> at usbus2, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen0.1: <Intel UHCI root HUB> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen8.1: <Intel EHCI root HUB> at usbus8, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen6.1: <Intel UHCI root HUB> at usbus6, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen1.1: <Intel UHCI root HUB> at usbus1, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen7.1: <Intel UHCI root HUB> at usbus7, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen4.2: <Seagate Ultra Slim MT> at usbus4, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=ON (36mA)
ugen3.2: <U.S.Robotics USB Modem> at usbus3, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (360mA)
ugen0.2: <Lite-On Technology Corp. ThinkPad USB Keyboard with TrackPoint> at usbus0, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA)
ugen6.2: <APC Back-UPS ES 550 FW843.K2 .D USB FWK2> at usbus6, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (2mA)
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

I have installed usbutils and the the virtualbox extensions pack, is there any specific method to verify BSD can see the USB device?
21.6.2. VirtualBox™ USB Support
(I'm not sure if USB 2.0 and/or 3.0 has been added yet)
Edit: Oops. That's for FreeBSD host, not a guest.


Should I be creating a pool and trying to import the zfs device into the pool to view its data?
Creating a pool will destroy any existing data. Just try to import it, that's all that would be needed to make it "available".
 
OP
OP
M

MrPollard

New Member


Messages: 6

Can you actually see the device in hardware, as a block device?
Originally I thought the device was showing up in the VM but it turns out it is only recognized in the host. Thank you for your time and effort. I'll have to pursue other methods for extracting data off the device.
 

linux->bsd

Active Member

Reaction score: 63
Messages: 162

Originally I thought the device was showing up in the VM but it turns out it is only recognized in the host. Thank you for your time and effort. I'll have to pursue other methods for extracting data off the device.
How about booting up a FreeBSD LiveCD to inspect the USB drive?
 

F1R3-R4H

Member

Reaction score: 1
Messages: 23

1) If you aren't familiar with zfs, nor want to deal twith that, why you used it? First try to learn at least the basic, then use it. Next it's learn more.
2) Let's suposse you have root access, connect or plug in the USB, then type this: sudo dmesg . It should show you where is the device and another info.
2-a) If you could see the device, type $mount /dev/daXsY Where "X" it's the number of the device, and "Y" the partition that you need to access/view its content. I suggest to you to mount it in /tmp or /mnt . And if you have more knowledge of mounting devices, try to create a point dedicated for it.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

2) Let's suposse you have root access, connect or plug in the USB, then type this: sudo dmesg .
If you're already root there's no need to run sudo(8). And dmesg(8) doesn't require root access, any user can run it.
2-a) If you could see the device, type $mount /dev/daXsY Where "X" it's the number of the device, and "Y" the partition that you need to access/view its content.
"Y" is the slice. But besides some semantics, you simply cannot mount(8) a ZFS filesystem like this.
 
OP
OP
M

MrPollard

New Member


Messages: 6

1) If you aren't familiar with zfs, nor want to deal twith that, why you used it? First try to learn at least the basic, then use it. Next it's learn more.
2) Let's suposse you have root access, connect or plug in the USB, then type this: sudo dmesg . It should show you where is the device and another info.
2-a) If you could see the device, type $mount /dev/daXsY Where "X" it's the number of the device, and "Y" the partition that you need to access/view its content. I suggest to you to mount it in /tmp or /mnt . And if you have more knowledge of mounting devices, try to create a point dedicated for it.
I'm just a guy trying to recover information, I have no control over the format in which it was presented. I'm not resistant to learning about ZFS I was just asking if anyone has come across this before.
 
OP
OP
M

MrPollard

New Member


Messages: 6

I know I have marked this solved but, I've reached the point where I suspect the device is part of a zfs pool and not a zfs pool itself, I'm going to guess it's "zraid1" (mirrored pool). Is it possible to add the device to an empty pool and preserve it's data?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

I've reached the point where I suspect the device is part of a zfs pool and not a zfs pool itself, I'm going to guess it's "zraid1" (mirrored pool).
If it was part of a mirror set then you can still import it. It would be in a DEGRADED state because it's missing its mirrored counterpart but the data would still be accessible and valid. If it was part of a striped set or RAID-Z (or Z2) then you would be missing too many devices and you won't be able to import it or salvage any data from that single device.

Is it possible to add the device to an empty pool and preserve it's data?
No need. And keep in mind that any disk you add to a pool will have its data destroyed. You cannot add devices to a pool while preserving that device's data.
 

getopt

Aspiring Daemon

Reaction score: 407
Messages: 609

dmesg(8) doesn't require root access, any user can run it.
That is only true for systems having
Code:
security.bsd.unprivileged_read_msgbuf: 0
which points to a not hardened configuration. ;)

So seeing this is common and absolutely not a problem:
Code:
 > dmesg
dmesg: sysctl kern.msgbuf: Operation not permitted
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

That's an odd setting though, the same information is readable by anyone in /var/log/messages. In order to make the security setting more effective you'd have to secure /var/log/messages separately.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

Having logfiles with permissions world readable is more than odd.
That's actually the default and has been for a very long time, /var/log/messages at least, auth.log and a few others are not. But a surprising number of logs are world-readable by default.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

Oh, I absolutely agree. But the same can be said for those sysctls. In my opinion those settings shouldn't be in the installer, I see too many people enabling them without understanding what they do and what the consequences are. Or only enabling those and not "completing" it by securing a whole bunch of other things. Just take them out of the installer and add a separate "security" utility that is able to secure everything in one go in a consistent manner.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

Why don't you share your "security utility" with us?
What security? I already told you our logs are world-readable. :p

Come on! Sure you have one ... :)
And yes, consistency matters!
Well, thinking about it. It's actually not a bad idea to create a tool for it. Lots of options to enable or disable with big fat warnings about the consequences but easy enough to use for someone with little to no experience securing an OS.
 
OP
OP
M

MrPollard

New Member


Messages: 6

First, Thank You all for your help.

Second, I've progressed to the point where I was able to clone the device to another USB Stick, create a file-based zfs pool, force add the cloned device to the pool and then mount the pool to the system's FS. I suspect I went wrong in either mounting the pool or when I added the clone to the pool. I interrogated the clone with `zdb -l` before I added it to the pool;

Code:
------------------------------------
LABEL 0
------------------------------------
    version: 37
    name: 'tpbth-rr-691_fs'
    state: 0
    txg: 0
    pool_guid: 8685194153895889622
    timestamp: 1539005150
    hostid: 2260437090
    hostname: 'tpbth-rr-691'
    top_guid: 7322047526467132111
    guid: 7322047526467132111
    is_log: 1
    vdev_children: 51
    vdev_tree:
        type: 'disk'
        id: 50
        guid: 7322047526467132111
        path: '/dev/dsk/c6t0d0s0'
        devid: 'id1,sd@SMICRON__eUSB_DISK_______12F0022700184307/a'
        phys_path: '/pci@300/pci@2/usb@0/hub@4/storage@2/disk@0,0:a'
        devchassis: '/dev/chassis/SYS/MB/EUSB_DISK/disk'
        chassissn: 'AK00372935'
        location: '/SYS/MB/EUSB_DISK'
        whole_disk: 1
        metaslab_array: 0
        metaslab_shift: 0
        ashift: 9
        asize: 2013265920
        is_log: 1
        removing: 1
    create_txg: 0
    labels = 0 1 2 3
And then after I adding to the pool, and mounting into the host FS;
Code:
------------------------------------
LABEL 0
------------------------------------
    version: 5000
    name: 'smtzfs'
    state: 2
    txg: 131
    pool_guid: 18081915658734526957
    errata: 0
    hostname: 'Neon-Vostro-260'
    top_guid: 5354621024871844464
    guid: 5354621024871844464
    vdev_children: 2
    vdev_tree:
        type: 'disk'
        id: 1
        guid: 5354621024871844464
        path: '/dev/sde1'
        whole_disk: 1
        metaslab_array: 384
        metaslab_shift: 27
        ashift: 9
        asize: 15485894656
        is_log: 0
        create_txg: 11
    features_for_read:
        com.delphix:hole_birth
        com.delphix:embedded_data
    labels = 0 1 2 3
If I browse where I thought I mounted the pool, by doing ls, I get an empty location. Judging by my before and after interrogations, it looks like the device changed when added to the pool.

I'm going to clone and try again when I have some more free time.
 

F1R3-R4H

Member

Reaction score: 1
Messages: 23

Just curiosity, but you didn't put any critical information there, right?
 
OP
OP
M

MrPollard

New Member


Messages: 6

Nope nothing critical, the original device is still intact. Just need to verify there is no Intellectual Property on the device and document and clear it if there is.

Working from copies of the original so I can create a "workflow" or set of work instructions.
 

Vull

Well-Known Member

Reaction score: 119
Messages: 285

That is only true for systems having
Code:
security.bsd.unprivileged_read_msgbuf: 0
which points to a not hardened configuration. ;)

So seeing this is common and absolutely not a problem:
Code:
 > dmesg
dmesg: sysctl kern.msgbuf: Operation not permitted
I can run dmesg from my non-root user account without this setting. I'm guessing it's probably because my non-root account is a member of the wheel group.
 
Top