Month: February 2025

Software update roundup, February 2025

Time to mention some great updates in the newest versions of DiskDigger, as well as its cousin FileSystemAnalyzer, which is my “internal” tool for tinkering with various file systems.

ZFS

I’ve been embarking on a bit of self-study of the ZFS file system, specifically its on-disk structures, for the purpose of forensic analysis and opportunities for data recovery. DiskDigger (and FileSystemAnalyzer) now supports ZFS partitions on physical disks and disk images. At the moment it can only parse the current disk’s worth of the ZFS pool, i.e. it does not yet fully support pools that span multiple disks, but this will be updated soon.

FileSystemAnalyzer now lets you visualize and parse a ZFS partition in a couple of unique ways. First, you can select the uberblock from which to start parsing the file system. ZFS uses a round-robin list of uberblocks, where every new “transaction group” causes a new uberblock to be written or updated, and the uberblock with the highest transaction group number is the “active” one. This implies that “older” uberblocks could potentially point to file system structures that are deleted, or forensically interesting in other ways. FileSystemAnalyzer presents the list of potentially parseable uberblocks as separate “partitions”, which you can select:

image

I have definitely observed cases where deleting files causes a new “transaction group” to be recorded, which creates a new uberblock; and then parsing from the previous uberblock allows the deleted files to be seen.

Then when viewing the actual files in the ZFS partition, FileSystemAnalyzer lets you browse the raw “object list”, which is a flat list of objects that represent all the files and directories organized in the file system tree, but might also include items that are not present in the tree.

image

As an aside, although the design of ZFS is mostly very sound, I’m a bit taken aback by the complexity of certain portions of ZFS. For example, ZFS uses at least four different ways of storing key-value pairs, each for different purposes:

  • nvlist, for storing header metadata at the beginning of the file system.
  • SA (system attributes), for storing attributes for files and directories. Because ZFS is designed to be maximally versatile and cross-platform, the types of attributes associated with files and folders can be defined dynamically in a system-attribute registry stored in the metadata of the filesystem.
  • ZAP: this is the main storage mechanism by which the actual filesystem (files, directories, symlinks, etc) are structured, achieving a B-tree-like structure. However (!) ZAP offers two different ways of structuring it:
    • Microzap: When there are few enough entries, the structure becomes completely different, and more compact.
    • Fatzap: The actual, full-fledged mechanism for storing the file system tree.

UFS / UFS2 / Minix / Ultrix / Xenix

…Really, all Unix-like file systems. Or, I should say, all inode-based file systems. DiskDigger and FileSystemAnalyzer now have expanded support for more obscure and legacy Unix-like file systems, like Ultrix and Xenix, some of which have different versions that are mutually incompatible. If you have disk images of these types of very old operating systems, send them to me! I’m always looking for obscure stuff to test with.

Pick R83

The Pick Operating System, created by a guy who was actually called Dick Pick, was a super interesting blip in computing history. Everything about this operating system is database-driven, including the file system, if you can call it that. The “account” that a user signs into is really a database, a “file” is really a table in the database, and then each file contains “attributes” and “records” that correspond to columns and rows. The Pick OS found its way into some niche markets, but obviously didn’t last against its larger competitors. It was, however, a bit ahead of its time with its database-centric design, and these ideas are arguably “coming back” in the form of NoSQL.

I’d like to add more meaningful support for Pick partitions in the future, but for now, you can in fact browse a Pick file system in a minimal way, and also see a list of raw on-disk “frames” that make up the Pick database:

image

Brain dump, January 2025

I’ve had some fun recovering data from two different types of SyQuest disks: SyQuest “SparQ” and “EZ 135” cartridges! These were made in the late 1990s, and were meant to compete with Iomega Zip and Jaz disks.

image

These types of cartridges come from a weird (and short) era that came after the reign of floppy disks, but before the reign of portable hard drives (and USB flash memory). These cartridges literally contain a hard disk platter, and when you insert the cartridge into the drive, it becomes a complete hard drive.

image

The flaw in this design, which is obvious today, and should have been obvious then, is that there’s a reason why hard drives are very tightly sealed: if a single grain of dust gets between the platter and the read head, it can cause a catastrophic head crash, which will cause permanent damage to the disk, and to the drive. And that’s exactly what happened: the failure rate of these disks was comically high, and likely contributed to the eventual demise of the SyQuest company.

For both EZ 135 and SparQ disks, I was able to find inexpensive drives on eBay that support these disks. These are both external drives, and connect to the PC’s parallel port. And in both cases, the drive was missing its corresponding power adapter (because of course the drive uses a proprietary power connector). Luckily, I was able to find photos on the web of the power adapters, and see their respective pinouts, which were printed on the underside of the adapter. In the SparQ case, the power supply outputs both 5V and 12V on different pins, which is identical to a standard PC power supply’s internal connections. This drive was probably intended to be adaptable to become an “internal” model. So, I simply soldered a spare 4-pin Molex connector onto the corresponding pins inside the drive, and it’s suddenly compatible with a PC power supply!

image

And in the EZ 135 case, the power adapter only outputs 5V, so I soldered a standard barrel connector onto it.

image

I was able to find a driver on the web that supports both of these drives over the parallel port, and can be installed under Windows NT. The driver installs itself as a “SCSI” adapter, and exposes the drive as a true removable disk, giving Windows block-level access to it, and assigning it a drive letter. Therefore, if you insert a cartridge into the drive, you can just access it through Windows Explorer just like any other removable disk.

image

This means it’s also possible to use lower-level disk tools for reading the disk. Since I wanted to perform “full” data recovery on these cartridges, I was interested in obtaining complete sector-level images of the disks. Windows doesn’t have a built-in tool similar to dd in Linux, but there is actually a special “third-party” version of dd for Windows, and it actually works in Windows NT. Since this tool is open-source, I took it and made a tiny enhancement to make it retry reading a sector if it fails. That was a bit of fun in its own right, since this tool is built using Borland Delphi, which required spinning up a Windows 2000 virtual machine and installing Delphi 7 to make it build.

These cartridges had a few bad sectors, and retrying reading a specific sector multiple times allowed it to eventually succeed (in a sort of “SpinRite” fashion). Using this tool, all of the disks were read successfully!

If you have SyQuest disks lying around, needing to be recovered (or any other data recovery needs), get in touch!