Unlike DOS / Windows, it is difficult to recover after the UNIX file is deleted, which is determined by UNIX unique file system structure. The UNIX file directory is not like DOS / Windows. All information relies on a data structure called I node to be described, while the I node is cleared after being deleted, so that it is almost impossible to directly recover the deleted file content. This article combines the actual situation, discussing the specific implementation of several file recovery strategies and its key steps. First, UNIX file system structure We know that UNIX is a file volume as its file system storage format, and different UNIX systems, the file volume format is different, even even the same UNIX operating system, its file system It may not be exactly the same, for example: SCO UNIX version 4.1 is significantly different from the 5.0 version of the file system structure, but as long as it is a UNIX system, the basic structure of the file volume is consistent. The analysis is as follows: No matter what UNIX system, no matter what version, its file volume includes at least a few parts of the guide block, super block, i node table, and data area. In addition, different UNIX versions may have different differences. For example: The SCO UNIX system bitmap index block and bitmap AIX logical volume, etc. The particularity of these systems does not affect the recovery strategy below, so this is not discussed, only the standard UNIX file volume structure is introduced. 1. The boot block is located at the first sector of the file volume. This 512 byte is the boot code of the file system, which is unique to the root file system, and the 512 bytes of other file systems are empty. 2. The hyper block is located in the second sector of the file system, followed by the boot block, used to describe the structure of this file system.
As the I node length, the file system size, etc., its structure is stored in /usr/include/sys/filsys.h, the structure is as follows: struct filsys {ushort s_isize; / * The number of data blocks occupied by the disk index node area * / DADDR_T S_FSIZE; / * The number of data blocks of the entire file system * / short s_nfree; / * currently registered in the idle block login * / DADDR_T S_FREE [NicFree]; / * Air Block Registration Form * / Short S_Ninode; / * Idle index node * / ino_t s_inode [nicinod]; / * Free Node Registration Form * / Char S_FLOCK; / * Lock flag * / char S_ILOCK; / * Node lock flag * / char s_fmod; / * Super block modification flag * / char s_ronly; / * File system read-only flag * / time_t s_time; / * Super block last modified time * / short s_dinfo [4]; / * Device information * / DADDR_T S_TFREE; / * idle Total number * / ino_t s_tinode; / * Total number of idle nods * / char s_fname [6]; / * File system name * / char s_fpack [6]; long s_fill [13]; / * Fill vacancy * / long s_magic; / * Indicates the number of magic numbers of the file system * / long s_type; / * New file system type * /}; 3. The i-node table I Node Table After the supersector, its length is determined by the S_Isize field in the hyper block, its effect It is used to describe the properties, length, the owner, group, data block, and the like, the data structure is in /usr/include/sys/ino.h, as follows: struct Dinode {ushort di_mode; short di_nlink; ushort di_uid Ushort di_gid; off_t di_size; char di_addr [40]; time_t di_atime; time_t di_mtime; time_t di_mtime;}; 4. Directory structure Unix all files are stored in the directory, the directory itself is also one file. The mechanism of the directory stored the file is as follows: First, the directory file itself is also like a normal file, occupying an index node, secondly, by this index node gets the location of the directory content, again, remove one of the file names and it corresponds to it The node number, thus accessing a file. The directory structure is as follows: Index Node (2 bytes). (This directory) (14-byte) index node number (2 bytes). (Parent directory) (14-byte) index node number (2 bytes) file Name (14-byte) index node (2 bytes) file name (14-byte) Index Node (2 bytes) file name (14 bytes) is described by the contents of the file name, file The content and other information are described by the index node. Second, the process of deleting the file in UNIX is simple, that is, it is to release the data block that the index node table and file occupied, the index node occupied by the file, but does not clear the file content. However, deleting files is different from the deleted directory, and the process of deleting a file in different commands is different. 1. Deleting a file UNIX Deleting a specific step of a file is: Depending on the disk block data block that releases the file according to the address table of the file i node, it is φ φ φ 诘 舏 node. 2. Delete a directory to delete a directory: First delete all files in the directory one by one, then delete the directory. The directory itself is also a file, so the method is deleted and the delete file is deleted.
3. Several different deletion commands .rm commands typically delete commands, and the delete process has been described. .Mv command format: MV file 1 file 2 processing is released to release the data block of the file 2, and then change the name of the file 1 to File 2, then release the I node of the file 2. .> Command format:> File name generates a new file,> command only requests an I node, not any file content; if you empty a already existing file, release the data block occupied by the file, and will file Length is cleared. Third, the recovery policy of deleted files should restore the deleted files, and can only go to the article according to the deletion. What did the file have been left after being deleted? It can be seen from the above analysis: one, leaving the content of the document; two, left a "site". File recovery policies can only be analyzed from both aspects. Here are several recovery strategies. 1. Restore according to the disk site If the file is deleted, the site is not broken (ie, the hard disk has not been written after the file is deleted), and it is assumed that only one file is deleted, and then recovered according to the system's allocation algorithm. Because the system creates a file, it is necessary to determine the data block position occupied by the file according to a particular allocation algorithm. And when the file is deleted, the data block it occupies is released, and returns to the system allocation table. At this time, if a file is re-established, the system is assigned according to the original allocation algorithm, it must be the original file. The occupied data block is consistent, and we know that the byte of the last data block tail of the UNIX file is all 0, accordingly, as long as the data allocation algorithm of the system is called, the application data block of a block in the system, because UNIX All the bytes of the last data block end of the file are 0, so, as long as the tail of the assigned data block is found to be 0, it can be considered that the file is ended, thereby determining the length and content of the file, which in turn realizes the recovery. The methods are as follows: (1) Apply for an index node, that is, to create a new file name to the system, without writing anything. Such as: #> / tmp / xx (2) Call system allocation data block algorithm getNextFreeBlock () Get a data block number to record a certain address table variable. (3) Read this data block, determine if the tail is all continuous, if not, return (2), if yes, then (4). ⑷ First, use the system function FSTAT to get the / tmp / xx i node number, then write the address table obtained from (2) into the address table of the index node (note the information problem), and according to the number of data blocks and the last piece The length of the effect data calculates the file size and writes the DI_SIZE field of the i node. ⑸ ⑸ ⑸ 系统 节 点表 表表. It should be noted that the algorithm of the first, system allocation data block is different from different UNIX versions; second, some UNIX, such as SCO UNIX version 5.0, the allocation and recycling of its idle data blocks is data using a dynamic chain table. The structure is implemented, and their file recovery is easier, as long as the tail of the idle chain table is looking again, the author will further describe. 2. Restore the content. If the site has been destroyed, that is, the hard disk has been written, then it is restored according to the content. Moreover, since UNIX is a multi-process, multi-user system, each of which is turned off or hardware, communication failure, etc., .sh_history, etc., the hard disk is destroyed. Therefore, it is discussed with a greater practical value by the method of recovery. Through the actual exploration, the following four recovery strategies are obtained for reference.
