On Sat, 19 Oct 2002 14:05:19 PDT, Seth Arnold <sarnoldat_private> said: > On Fri, Oct 18, 2002 at 07:14:09PM +0100, Alan Blackwell wrote: > > I sometimes need find out when a file or directory on a machine was=20 > > deleted > > Alan, I would be surprised if the operating system's last act before > removing a file was to make a note in a no-longer-needed directory > entry/inode somewhere when the inode/directory entry was destroyed. > Maybe the "last modifification time" on the directory has that > information, but in a conglomerate sort of way. (Read: other file > changes in the directory may make that timestamp not the latest file > deleted.) For those filesystems that maintain a single linear free list that's added to in FIFO or LIFO order, you can look at the free blocks, make guesses as to what files they were, and then use the last-mod-time on the parent directories (multiple) to at least narrow down "File X was removed from ~fred/.subdir after y.c was removed from ~george/src/project1, but before foo.dat was removed from ~harry/proj23". However, this requires that the free list be managed in a certain manner, and that the blocks that used to be y.c and foo.dat contain enough data to identify them, etc etc etc. Issues like these are why the audit guys like systems that have kernel-level auditing, where you'd have a record of the unlink() call that did it, and what process/userid/etc. (Hint - you can drastically reduce the data volume by not tracking unlink() on the /tmp filesystem ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 16:23:29 PDT