Try to recover file of random data in UFS

L

lib13

Hi all,

Just after I moved my backup data to an encrypted GELI partition, I did a newfs on the /root directory of the backup disk by mistake. There are no files created in the new filesystem, though.
The /root directory is in the / slice of 2GB of size.
I've already built a dd image of the slice.

The GELI key previously stored in /root was created as
Code: 
dd if=/dev/random of=/root/ada0.key bs=128 count=1

Tried to use cgsecurity's photorec and testdisk, but I think there's no way I can use them to recover the file, since it's not possible to define a signature to the searched file that is built from random data.

I'm writing here in the hope that someone could give me some light on whether it's feasible to recover the file.

I was thinking of building a C program to read all sectors of the slice image searching for files of size 128 bytes.
I have no knowledge of how the UFS filesystem is built.
What practical pointers are there that could be useful for me?
 
If you compile a C program to search the minimum sector resolution is 512B. But if you write program that search metadata (inodes data) to dump information about all files with 128 bytes size (they will occupy 2-8KB on disk in reality). You can get physical sectors number where that data can be. You can next dump any first sector which belong to the 128 bytes size file - probably there will be just single one or few such files, but...
1st - You need detailed knowledge about inodes/metadata storing in UFS.
2nd - Partition/disk with this file MUST have been immediately unmounted and never mounted RW again.
I had few successes in writing such recover tools in the past - but never for random data, but also I never known file size - I mainly recovered C sources files and I was searching for keywords in sectors like #include or void* etc.
 
Thank you, @MorgothV8!

I tried to find an explanation of UFS in order to understand how superblocks, blocks, inodes and metadata are arranged. The closest I found was this, but it's meant for the ext2 filesystem.

I've checked /usr/src/sys/ufs. I don't know which branch to choose from ./ufs or ./ffs, though. The header files are well documented but not enough for a new comer in the subject as myself.

Is there any document explaining UFS, how the filesystem is laid out, where and how metadata is stored?
 
Last edited by a moderator:
I don't know details - all should be in FreeBSD sources. Look for some "magic number" for UFS/UFS2.
Then look for this magic number (in HEX) in disc sectors - I would start with it.
 
You must log in or register to reply here.
Back
Top