Forensics tools for HammerFS

Matthew Dillon dillon at apollo.backplane.com
Mon Aug 10 07:47:51 PDT 2009


:HI,
:
:Are there any current Forensic tools that will work with a hammerfs
:disk image amde by dd?
:I guess sleuthkit and autopsy wont work.
:And what is the best way to undelete a file from hammerfs for which no
:snapshots are configured?
:
:Thanks
:
:--Siju

    'hammer -f <device> show' will dump the media structures.

    undo -i <filename> will locate any retained history for a file or
    prior incarnation of a file, if it exists.  If no snapshots have been
    made yet but the filesystem is mounted normally (not mounted 'nohistory'),
    then there should be history associated with it.

    When you start making snapshots any fine-grained history beyond the first
    snapshot is lost (pruned out by the snapshots).

    Trying to find old file data on-media is possible but without any
    meta-data to point at it the best you can do is to try to pick it out
    of the disk image.

    The default is to run daily snapshots (they are put in <fs>/snapshots).
    The system's daily cron usually does that automatically.

					-Matt
					Matthew Dillon 
					<dillon at backplane.com>





More information about the Users mailing list