'Re: zfs forensics page'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    Re: zfs forensics page
From:       "max () bruningsystems ! com" <max () bruningsystems ! com>
Date:       2008-08-13 4:52:39
Message-ID: 48A26897.80501 () bruningsystems ! com
[Download RAW message or body]

Hi Evtim,

Evtim Batchev wrote:
>
>
> Maybe mdb zfs module may bring may bring some mising zdb
> functionality in mdb?
>
> I will have to go trough your presentation morecarefully to
> inderstand better the isues :-)
There are two basic issues with using mdb to examine on-disk zfs 
data/metadata.
One is that mdb does not load any CTF information when the target file
is a raw disk (or any target that is not ELF or ELF generated core file).
The second issue is that most of the metadata is compressed.
The first issue is handled by adding a "::loadctf" command and changing
some entry points in mdb_tgt_ops_t in cmd/mdb/common/mdb/mdb_rawfile.c.
Currently, "::loadctf" only loads the current kernel CTF information.
This allows me to use "::print" with raw disks/files.
The second issue is handled by adding missing functionality to zdb
so that data can be de-compressed.

It would be nice to have mdb handle the decompression, but "::print" reads
each field within a structure separately.  This means that the data must 
be de-compressed
before using ::print. 

I have looked into modifying zdb to be interactive, then adding the 
::print functionality to
zdb.  I have also looked into modifying mdb to do the de-compression.  I 
think
either of these would work, but will take more time to implement.

If mdb is truly a "modular" debugger, it should not only be modular in 
terms of
functionality that can be added, but also in terms of the "modules" that 
can be
debugged.

At any rate, I am currently looking into using the modified mdb to 
understand/correct
a problem I am having with a pcfs (fat32) file system.  I also will take 
a short
look at "recovering" removed files in a zfs file system.

max

>
> Thanks again
> Cheers
> E-
>
> max@bruningsystems.com wrote:
>> Hi,
>> I just now saw this page: 
>> http://opensolaris.org/os/project/forensics/ZFS-Forensics/ on the 
>> forensics project,
>> and thought you might like to add the paper and slides I presented at 
>> the OpenSolaris Developer Conference
>> on ZFS on-disk format.  The paper is at: 
>> http://www.osdevcon.org/2008/files/osdevcon2008-proceedings.pdf
>> starting at page 36, and the slides are at: 
>> http://www.osdevcon.org/2008/files/osdevcon2008-max.pdf.
>>
>> max
>>
>> _______________________________________________
>> security-discuss mailing list
>> security-discuss@opensolaris.org
>>   
>
>

_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic