Recovery of files from ZFS since it is COW

[MikeB]

I have been using FreeNAS for a few months now and love it. My question is about recovering files from ZFS since it is COW. A number of photos have been deleted from my zpool and I am wondering about "undelete" utils like photorec for Linux.

Q1) Since ZFS is COW, are these files out there on the media, just with references to them missing?
Q2) How would I intentionally remove a file or a dirtree from my zpool and "shred" them such that they cannot be recovered at all?

 

[zambanini]

a1: http://lmgtfy.com/?q=freenas+forum+recover+files+site:forums.freenas.org

you should also learn about snapshots.

a2: use encryption, if you fear somebody from the outside

 

[HoneyBadger]

Q1) Since ZFS is COW, are these files out there on the media, just with references to them missing?

Yes, much like other filesystems unless you specifically overwrite the previous location the data is still there. You'll want to mount the zpool as read-only to stop potential overwrites until you can hit the drives, but it may be significantly difficult because without ZFS's metadata telling you which pieces went where, it's going to be very hard to track down and correlate the data. Bruteforce might yield results but you're looking at a long, long process here.

Q2) How would I intentionally remove a file or a dirtree from my zpool and "shred" them such that they cannot be recovered at all?

Not easily possible. ZFS being COW means it behaves a lot more like an SSD without TRIM support on the vdev level - the blocks are only ever marked "dirty" and cleared for future rewrites. Encrypt your entire zpool if you're concerned about an outside attacker but bear in mind that your data is only as secure as your key.

 

[jgreco]

A1) Yeah, it's out there somewhere. Probably. It would, however, be very difficult to piece together. Probably a lot of learning about ZFS structures and internals.

A2) You don't. ZFS is not meant as a laptop-grade filesystem, but rather a server-grade filesystem. It is oriented towards keeping your data safe and secure. A deleted file or directory may remain available in a snapshot, etc. and trying to figure out how to comprehensively "purge" something on a system that is designed never to overwrite an active data block is probably rather complicated.