Unlike DOS/Windows, it is difficult to restore UNIX files after they are deleted.
Depends on the file system structure. Unlike DOS/Windows, the UNIX file directory
The file name, file length, and cluster number (that is
File occupies the first disk block number) and other important information; on the contrary, its file information is all
It is described by a data structure called an I node, and the I node is deleted in the corresponding file.
After division, the deleted files are cleared. Therefore, to directly restore the deleted files
Impossible. This article discusses several file recovery strategies based on actual conditions.
And the specific implementation of the key steps.
I. UNIX File System Structure
We know that UNIX uses a file volume as its file system storage format, while
Different UNIX systems have different file volume formats, even for the same Unix
The file systems of different operating systems may not be the same, for example, SCO Unix
The file system structure of Version 4.1 and version 5.0 is significantly different, but as long as it is a UNIX system, its
The basic structure of the file volume is consistent. The analysis is as follows:
No matter what UNIX system, no matter what version, its file volume should include at least
The import block, super block, I node table, data zone, and so on. In addition
The unix version may be different. For example, the bitmap index block of sco unix System
And the logical volume table of the bitmap block Aix. The particularity of these systems does not affect the recovery below
Policy, so we will not discuss it here. We will only introduce the structure of standard UNIX file volumes.
1. Boot Block
Located in the first sector of the file volume, the 512 bytes are the guidance of the file system
Code, which is unique to the root file system. The 512 bytes of other file systems are empty.
2. Super Block
Located in the second sector of the file system, followed by the boot block, used to describe this file
System structure. For example, the length of an I node and the size of a file system are stored in
In/usr/include/sys/filsys. H, the structure is as follows:
Struct filsys
{
Ushort s_isize;/* Number of data blocks occupied by the disk index node area */
Daddr_t s_fsize;/* Number of data blocks in the entire file system */
Short s_nfree;/* Number of idle blocks currently registered in the idle block logon table */
Daddr_t s_free [nicfree];/* free block Registration Form */
Short s_ninode;/* Number of idle index nodes */
Ino_t s_inode [nicinod];/* idle node Registration Form */
Char s_flock;/* Lock flag space */
Char s_ilock;/* node lock flag */
Char s_fmod;/* super block modification flag */
Char s_ronly;/* file system read-only flag */
Time_t s_time;/* time when the super block was last modified */
Short s_dinfo [4];/* device information */
Daddr_t s_tfree;/* Total Number of idle blocks */
Ino_t s_tinode;/* Total Number of idle nodes */
Char s_fname [6];/* file system name */
Char s_fpack [6];
Long s_fill [13];/* fill in Space */
Long s_magic;/* indicates the magic number of the file system */
Long s_type;/* New file system type */
};
3. I node table
After the I node table is stored in the super block, its length is determined by the s_isize field in the super block.
It is used to describe the attributes, length, owner, group, and number of files.
The data structure of a data block table is in/usr/include/sys/ino. H, as follows:
Struct dinode
{
Ushort di_mode;
Short di_nlink;
Ushort di_uid;
Ushort di_gid;
Off_t di_size;
Char di_addr [40];
Time_t di_atime;
Time_t di_mtime;
Time_t di_ctime;
};
4. directory structure
All UNIX files are stored in the directory. The directory itself is also a file. Contents
The file storage mechanism is as follows: first, the directory file itself is also like a common file
Sample: occupies an index node. Second, the index node obtains
Storage location, and then retrieve the file names and corresponding sections from the content.
To access a file. The directory structure is as follows:
Index node number (2 bytes). (local directory) (14 bytes)
Index node number (2 bytes) .. (parent directory) (14 bytes)
Index node number (2 bytes) file name (14 bytes)
Index node number (2 bytes) file name (14 bytes)
Index node number (2 bytes) file name (14 bytes)
It can be seen from the above that the file name is described by the directory, and the content of the file and its trust
It is described by the index node.
Ii. File Deletion Process
The process of deleting a file in UNIX is very simple, that is, releasing the index node table.
And the data blocks occupied by files, clear the index nodes occupied by files, but do not clear files
Content. However, the process for deleting files is different from that for deleting directories. Different commands are used to delete files.
The process is also different.
1. delete an object
To delete a file in UNIX, follow these steps:
1. Release the disk data block occupied by the file, then clear the corresponding node, and finally release
Node.
2. delete a directory
Delete a directory: first, delete all the files in the directory one by one.
And then delete the directory. The directory itself is also a file, so the delete method and delete file 1
To.
3. Several Different delete commands
. Rm command
Generally, the DELETE command is described above.
. Mv command
Format: MV file 1 file 2
The processing process is to release the data block of file 2, and then change the name of file 1
File 2, and then release the I node occupied by file 2.
.> Command
Format:> file name
If a new file is generated, the> command only applies for one I node without writing any
File Content. If an existing file is cleared, the data occupied by the file is released.
And clear the file length.
3. Recovery Policy for deleted files
To restore the deleted files, you can only write the files based on the items left after the deletion.
Chapter. What is left after the file is deleted? From the above analysis, we can see that: 1.
The content of the file; second, the "Site" is left ". File recovery policies can only be
These two aspects are analyzed. The following describes several recovery strategies.
1. Perform Disk Recovery on site
If the file is deleted, the site is not damaged (that is, the hard disk does not occur after the file is deleted
If only one file is deleted
Algorithm. Because when the system creates a file, it must be based on a specific
The allocation algorithm determines the location of the data block occupied by the file. When the file is deleted
The occupied data block is released and returned to the system allocation table.
To create a file, the data block allocated by the system based on the original allocation algorithm must be consistent
The original data blocks occupied by this file are the same, and we know that the last one of the UNIX files
The extra bytes at the end of the data block are all set to 0, so as long as the system's data points are called
Configuration algorithm, in the system a block of application data blocks, because the last Unix File
All the extra bytes at the end of the data block are 0. Therefore, you only need to find the number of allocated bytes.
When the end of the data block is 0, the end of the file can be considered, and the length and content of the file can be determined.
To achieve recovery. The method is as follows:
(1) apply for an index node, that is, apply to the system to create a new file name instead
Write any content. For example: #>/tmp/xx
(2) Call the system distributed data block algorithm getnextfreeblock () to obtain a data block.
To an address table variable.
(3) read the data block and determine whether all its tails are consecutive 0. If not,
Return to (2). If yes, perform (4 ).
(4) first use the system function fstat to obtain the I node number of/tmp/xx, and then perform step (2 ).
The address table is written to the address table of the index node (note the inter-address issue), and according to the data block
Calculate the file size based on the number and the length of the valid data in the last part, and write
Di_size field.
⑸ Write back the index node table of the system.
It should be noted that, first, the algorithms for allocating data blocks by the system are different for Unix
Different versions. Second, Some UNIX versions, such as sco unix 5.0, have their own
Distribution and recycling are implemented using the data structure of a Dynamic Linked List.
It is easier to restore parts. You only need to find the parts at the end of the table in the idle linked list.
Line description.
2. Restore Based on the content.
If the scene has been damaged, that is, the hard disk has been written, you have
. Moreover, since UNIX is a multi-process, multi-user system
System logs,. sh_history, and other hard disks are recorded when the host is switched on or off, or when the hardware or communication fails.
It is highly probable that the site is damaged. Therefore, it is suggested that the content-based recovery method has a greater
Practical value. The author has obtained the following four recovery strategies for reference.
(1) keyword search
If you know the content of the deleted file in several bytes, and the file
If the length does not exceed one disk block, you can search for this disk in the entire file system.
Byte string to obtain the data block where a file is located, and fill in their block number with an I Section
Point to restore a file. The algorithm for searching a file system is very simple, as shown in
Below:
A. # DF-K determine the device file name of the file system (for example,/dev/root)
B. Use the following function to search. If the search succeeds, the data block number is returned. If the search succeeds,-1 is returned. Its
Fsname is the device name of the file system. For example, the/dev/root and comp () parameters are used to implement search results.
Functions.
Long searchfs (char * fsname, int comp ())
{
File * FP;
Char Buf [1024];
Long I = 0;
Fp = fopen (fsname, "R ");
While (! Feof (FP ))
{
Fread (BUF, 1024,1, FP );
If (COMP ()/* check whether the search criteria are met */
Return I;/* If the block number is returned successfully */
I ++;
}
Fclose (FP );
Return-1;/* if no matching block is found,-1 */is returned */
}
(2) exact length search
If you know the exact length (number of bytes) of the deleted file, you can
Calculate the exact length of data in the last data block of the file,
All other bytes in the data block must be 0. Search for the entire text based on this condition
System to find the data blocks that meet the conditions. If multiple data blocks meet the requirements,
You also need to distinguish them based on other conditions. But in any case, based on the exact length analysis
Is a data recovery policy.
(3) content Correlation Method
If you know that there is an executable Association in the file content, such as the file School
You can also search for the entire
The file system repeatedly tries to find disk data blocks that meet the association conditions.
Restore a file.
(4) Environment Comparison Method
If you know the installation process of the file system where the file is deleted
Find a completely identical machine and install the same version according to the original steps
UNIX and other related software, as you can imagine, the new machine environment will be different from the original environment
The environment is basically the same. When comparing the content of the same file system on two machines, we can infer that
The approximate location of the deleted file can greatly reduce the search range.
The search range is small enough. You can combine other conditions by observing and trying one by one.
Data Recovery reduces the difficulty of recovery and increases the reliability of recovery.
The specific implementation of File System Recovery in UNIX systems depends on different operating systems and
The specific file system structure and disk block allocation algorithm of different versions. This article tries to summarize
It provides a general idea and Strategy, which is limited by space and cannot be discussed in detail.
Body implementation process.
