Forensics tools for HammerFS

Siju George sgeorge.ml at gmail.com
Fri Aug 14 02:25:56 PDT 2009 

On Mon, Aug 10, 2009 at 8:13 PM, Matthew
Dillon<dillon at apollo.backplane.com> wrote:
>
>    'hammer -f <device> show' will dump the media structures.
>

Thanks for the reply Matt :-)
How do I specify the <device> ? I did

dfly-bkpsrv# disklabel /dev/ad4s1 | grep HAMMER
  h:  955801585   20971520    HAMMER    #  466699.993MB
dfly-bkpsrv# hammer -f /dev/ad4s1h
hammer -h
hammer [-2qrvy] [-b bandwidth] [-c cyclefile] [-f blkdev[:blkdev]*]
       [-i delay ] [-t seconds] command [argument ...]
hammer synctid <filesystem> [quick]
hammer -f blkdev[:blkdev]* blockmap
hammer bstats [interval]
hammer iostats [interval]
hammer history[@offset[,len]] <file> ...
hammer -f blkdev[:blkdev]* [-r] [-vvv] show [offset]
hammer namekey1 <path>
hammer namekey2 <path>
hammer cleanup [<filesystem> ...]
hammer info
hammer snapshot [<filesystem>] <snapshot-dir>
hammer prune <softlink-dir>
hammer prune-everything <filesystem>
hammer rebalance <filesystem> [saturation_percentage]
hammer reblock[-btree/inodes/dirs/data] <filesystem> [fill_percentage]
hammer pfs-status <dirpath> ...
hammer pfs-master <dirpath> [options]
hammer pfs-slave <dirpath> [options]
hammer pfs-update <dirpath> [options]
hammer pfs-upgrade <dirpath>
hammer pfs-downgrade <dirpath>
hammer pfs-destroy <dirpath>
hammer mirror-read <filesystem> [begin-tid]
hammer mirror-read-stream <filesystem> [begin-tid]
hammer mirror-write <filesystem>
hammer mirror-dump
hammer mirror-copy [[user@]host:]<filesystem> [[user@]host:]<filesystem>
hammer mirror-stream [[user@]host:]<filesystem> [[user@]host:]<filesystem>
hammer version <filesystem>
hammer version-upgrade <filesystem> version# [force]
hammer expand <filesystem> <device>


>    undo -i <filename> will locate any retained history for a file or
>    prior incarnation of a file, if it exists.
>

If the file exists or if the history exists?
It seems if I delete a file its history also vanishes.

dfly-bkpsrv# undo -i 1.txt
1.txt: ITERATE ENTIRE HISTORY
        0x000000011cab1960 14-Aug-2009 14:29:52
        0x000000011cab19a0 14-Aug-2009 14:30:01
        0x000000011cab19c0 14-Aug-2009 14:30:10
        0x000000011cab19e0 14-Aug-2009 14:30:17
dfly-bkpsrv# rm 1.txt
dfly-bkpsrv# undo -i 1.txt
1.txt: ITERATE ENTIRE HISTORY: Unknown error: 0

>  If no snapshots have been
>    made yet but the filesystem is mounted normally (not mounted 'nohistory'),
>    then there should be history associated with it.
>

File System is mounted normally

Backup1 on /Backup1 (hammer, local)
But when the file is deleted the history also vanishes.


>    Trying to find old file data on-media is possible but without any
>    meta-data to point at it the best you can do is to try to pick it out
>    of the disk image.
>

How do I pick it out of the disk image?

Thanks

Siju

More information about the Users mailing list