Home

Linux and Unix disks are not very common on their own, but are often part of a NAS (Network Attached Storage) system.  This could be a single drive, or part of a RAID 0 or RAID 1 for small systems, and RAID 5 for larger, more secure systems

CnW Recovery will detect the following types of Unix

• Ext2/3
• Ext4
• ReiserFS
• XFS

When detected, the following screen will displayed

The most important sector on a Unix disk is the Superblock.

There are three basic modes to recover Linux disk by

• Full recovery uses the existing directory structure to discover all the files.  If the directory structure is damaged, a full recovery will not be made
• Scan for directory stubs will search for each known inode and recover files this way.  It is very possible that orphaned files will be found and these will then be stored in directories with a dummy file name
• Raw Inodes is (currently) for XFS and Reiser only.  This scans the complete disk, block by block for possible iNodes.  It then reconstructs where ever possible the file system, even when iNodes have been deleted and otherwise removed.  The process can be slow, but it does result in files being found that is otherwise impossible with most types of recovery software.  Recent results with a test Reiser FS disk recovered about 80% of the original files that had been deleted.  NB more files appear to have been recovered, but there many duplicates. 

When the forensic option has been purchased useful detail is added to the forensic log.  This includes expected numbers of iNodes, locations of groups etc.

XFS deleted file recovery

It is often stated that it is not possible to recover deleted files from XFS.  This is largely true as unlike NTFS, there is no 'I have been deleted' flag.  Instead the critical iNodes are partially blanks to make them look free, and the tables to state where the iNodes are, and if used are also cleared.  The CnW approach is in five stages

• Scan the complete disk for all iNodes
• Regenerate the blanked iNodes to give file size, and file type
• Scan all iNodes to generate directory structure
• Recover all files, and check file signature
• Verify when possible, the file length

This process will recover files from very damaged XFS disks, and still retain file names, dates and very largely, the complete directory structure.

Reiser Disks

Most Reiser disks are part of the HP Media Vault system.  They can appear as a RAID, or just a single disk.  It is gathered that the system was often sold with a single drive, and then another drive could be added, normally as a JBOD configuration.  The proposed RAID-0 option was never implemented.  For RAID setup see the RAID drives section.

The disk may be read in three ways, Full recovery, scan and raw.  With Full recovery, the first stage is an analysis of all the leaf iNodes to try and establish a directory structure.  The Scan and Raw modes go to a lower level and do not try and read the disk based on the directory structure, though will try and reconstruct the directories.

A useful feature of the program is that it will still work even when the main Superblock header is missing.  This header is normally at sector 0x80 of the partition, and is recognised by the string ReIsEr2ER at location 0x34 of the block.

Ext4 deleted file recovery

When an Ext4 file is deleted (and the rubbish bin cleared) the iNode is blanked out.  This means there is no information on file size, date, or most importantly file location.  Put very simply, recovery of deleted files with file name is impossible.  HOWEVER - with the raw mode it is sometimes possible to recover files with the correct size and extension and date, but still no name.  The raw mode will scan the complete disk for old iNodes and make use of them.

The result of this scan can be varied - it detects all iNodes that are not part of the normal file system and so file may be found more than once.  As names cannot be attached, the files are checked for signature and then saved in relevant directories.  The file size and date are correct.

Recover All or Recover Selected

Not all configurations can operate with Recover selected.  If Recover All is used and only;y certain files are required, the recommendation is to use the file filter to select files based maybe on name, file type or date..

It is intended to support recover Selected for all Full Recover modes of operation, but scanned modes will rely of the file filter.