On Wed, Jul 24, 2002 at 06:38:33PM -0000, saliskorat_private wrote: > Is there any value to mounting and analysing a linux swap partition ? I > attempted to mount and received an error, stating that the partition > appeared to be a swap partition - which of course it was. Swap partitions are very different from filesystems. Filesystems (usually) store trees of directory nodes to reference file inodes, which then reference the blocks in files. Everything on disk has or had a name once, and you can reconstruct which blocks are in which files or directories or are no longer in use pretty easily. (fsck does this on every unclean reboot.) Swap partitions contain "random" pages of memory from processes that weren't used often enough to keep them out of swap. Luckily for you, those chunks won't include libraries or the executable -- those are backed by the filesystem. So, swap is only going to contain pages created on the fly by the applications for data. Unluckily for you, there is no ordering information about the swap actually held in the swap partition -- all of that information is meaningful only when the machine is running, and the machine is likely to need it in a hurry, so the page mapping tables are stored in unswappable kernel memory. So, you don't stand a chance of reconstructing swap into a filesystem. You _do_ stand a chance of finding useful tidbits in swap, though they aren't going to be friendly and contiguous about it. (On the x86 platform running Linux, pages in swap are 4k each.) In short: if you're after something specific, you might find it. If you are on a general fishing expedition, it might be much more work. Good luck. :) -- http://www.wirex.com/
This archive was generated by hypermail 2b30 : Sun Jul 28 2002 - 13:09:04 PDT