[251] in The Cryptographic File System users list
Re: Recovering deleted CFS files
daemon@ATHENA.MIT.EDU (Stefan Hudson)
Wed Nov 7 14:16:27 2001
From owner-cfs-users@crypto.com Wed Nov 07 19:16:26 2001
Return-Path: <owner-cfs-users@crypto.com>
Delivered-To: cfs-mtg@CHARON.mit.edu
Received: (qmail 21501 invoked from network); 7 Nov 2001 19:16:26 -0000
Received: from mx.crypto.com (207.140.168.138)
by charon.mit.edu with SMTP; 7 Nov 2001 19:16:26 -0000
Received: (from majordomo@localhost)
by MultiHostMXServer (8.9.3/8.9.x4) id OAA10660
for cfs-users-list; Wed, 7 Nov 2001 14:03:13 -0500 (EST)
X-Authentication-Warning: mx.crypto.com: majordomo set sender to owner-cfs-users@crypto.com using -f
Received: from nsa.research.att.com (H-135-207-24-155.research.att.com [135.207.24.155])
by MultiHostMXServer (8.9.3/8.9.x4) with ESMTP id OAA13418
for <cfs-users@crypto.com>; Wed, 7 Nov 2001 14:03:11 -0500 (EST)
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id OAA18631 for <cfs-users@nsa.research.att.com>; Wed, 7 Nov 2001 14:03:09 -0500 (EST)
Received: by mail-blue.research.att.com (Postfix)
id 719764CE9B; Wed, 7 Nov 2001 14:03:10 -0500 (EST)
Delivered-To: cfs-users@research.att.com
Received: from otter.mbay.net (otter.mbay.net [206.40.79.2])
by mail-blue.research.att.com (Postfix) with ESMTP id BF93D4CE8D
for <cfs-users@research.att.com>; Wed, 7 Nov 2001 14:03:09 -0500 (EST)
Received: (from hudson@localhost)
by otter.mbay.net (8.11.4/8.11.4) id fA7J2xJ29601;
Wed, 7 Nov 2001 11:02:59 -0800
Date: Wed, 7 Nov 2001 11:02:58 -0800
From: Stefan Hudson <hudson@mbay.net>
To: Robert Stampfli <res@colnet.cmhnet.org>
Cc: cfs-users@research.att.com
Subject: Re: Recovering deleted CFS files
Message-ID: <20011107110258.A18861@mbay.net>
References: <200111070329.WAA04363@colnet.cmhnet.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
In-Reply-To: <200111070329.WAA04363@colnet.cmhnet.org>; from Robert Stampfli on Tue, Nov 06, 2001 at 10:29:07PM -0500
Sender: owner-cfs-users@crypto.com
Precedence: bulk
On Tue, Nov 06, 2001 at 10:29:07PM -0500, Robert Stampfli wrote:
> Stefan,
> Here is a post from a few years back from the author of cfs,
> Matt Blaze. Hope it helps...
Thanks, this helped a lot to understand them. I'm not out of the woods
yet, tho... unfortunately, the inode ctime gets updated when the inode
is deleted, so I have no way of knowing what the original ctime is. I
wrote something to regenerate the .pvect_ files using the mtime, but
this only worked for a couple files out of thousands. I'm not sure why,
since for most of the files, the mtime should not have changed since the
file was created.
I'm going to look at options for either brute-force guessing (using a
range of possible inodes and ctimes), or perhaps a more cryptographic
approach....
If I read the explaination correctly, the entire file is XOR'd with a
repeating pattern of the 4-byte pvect. Does this mean that if I can
guess the first 4 bytes of a file, I should be able to recover the pvect
value by XOR'ing the first 4 bytes of the file header with the known
plaintext? I'm hardly a crypto expert, but that's what it sounds like
to me.
I guess I should spend some more time with the Big Red Book.
Thanks for any advice,
Stefan
