What is the directory called “lost+found” for? What should I do if I see files in it?
Background on FSCK
In AIX, as with other Unix-like operating systems, the filesystem check utility /usr/sbin/fsck is used to correct damage to a filesystem. This damage may be the result of a system crash, LVM problem, disk issue, or a filesystem defect, causing corruption in the metadata of the filesystem.
If fsck detects a damaged directory, it will attempt to repair the damage. If the directory is too damaged to repair, fsck must remove it. Since a directory is mainly a mapping of file inodes to names that the directory “owns”, fsck has to move any files out of the damaged directory to save them. Since the directory containing the names of the files is now gone, fsck will give the file a new numeric name that is the inode number of that file in the particular filesystem. Then it moves the file to the “lost+found” directory, found in the root of each filesystem. These files may be complete, or they may have some corruption as well if the filesystem is too damaged.
What To Do With Files In The Lost+Found Directory?
Without filenames or directory paths these files can be difficult to use at this point. Using some techniques to help determine what the files contain may help an administrator to remember where the files should go, and what their names should be.
It should be noted here that restoring these files can be a time-intensive task. If there are many files in the lost+found directory it may be faster to restore the filesystem from the last known backup than trying to guess what they are. Also, as mentioned above, the files themselves may be corrupt and not useable.
One way is to use the /usr/bin/file command to determine what data is in a file. This command uses specific strings or performs tests on a file to classify it by a known type.
# file 1234
1234: shell script – ksh (Korn shell)
# file 5678
5678: archive (big format)
# file 9101112
9101112: executable (RISC System/6000) or object module
If a file is found to be a shell script or containing ASCII data, it can be examined using “more” or “cat” to help determine what it is and where it should be moved to.
If a file is binary, such as an executable, library, or kernel module, other commands can be used to determine what’s in it.
# what 2345
61 1.16 src/bos/usr/ccs/lib/libc/__threads_init.c, libcthrd, bos61B, b2007_33A0 8/2/07 13:09:21
88 1.24 src/bos/usr/bin/ex/ex_put.c, cmdedit, bos610 4/10/06 07:47:54
50 1.13 src/bos/usr/bin/ex/ex_data.c, cmdedit, bos610 1/21/06 03:54:52
09 1.11 src/bos/usr/bin/ex/printf.c, cmdedit, bos610 8/7/00 10:14:15
69 1.17 src/bos/usr/bin/ex/ex_get.c, cmdedit, bos610 3/21/05 23:25:35
76 18.104.22.168 src/bos/usr/bin/ex/ex_v.c, cmdedit, bos61D, d2008_12A3 3/11/08 01:28:00
38 22.214.171.124 src/bos/usr/bin/ex/ex_tty.c, cmdedit, bos610 3/31/04 07:01
The vi editor is really a full-screen version of an editor called “ex”, so knowing this we can rename the file properly as /usr/bin/vi .
# strings 90210 | head
1.16 src/bos/usr/ccs/lib/libc/__threads_init.c, libcthrd, bos61B, b2007_33A0 8/2/07 13:09:21
We can see that this file is most likely the /usr/sbin/lslv command.
The octal dump command can be used to print out characters (od -c) or search for null-terminated strings (od -S)
The LVM intermediate command lquerypv can be used on objects as well as physical volumes. It can read and format the output in the right-hand eyecatcher to allow the user to view any recognizable strings or characters.
# lquerypv -h 3456
00000000 01DF0004 47A8B978 00000000 00000000 |….G..x……..|
00000010 00481047 010B0001 000041F8 00000A60 |.H.G……A….`|
00000020 00003678 30000C14 10000100 300002F8 |..6×0…….0…|
00000030 30000CA0 00020001 00020002 00040003 |0……………|
00000040 00070003 314C0000 00000000 40000000 |….1L……@…|
00000050 00000000 00000000 00000000 2E746578 |………….tex|
00000060 74000000 10000100 10000100 000041F8 |t………….A.|
00000070 00000100 00000000 00000000 00000000 |…………….|
00000080 00000020 2E646174 61000000 300002F8 |… .data…0…|
00000090 300002F8 00000A60 000042F8 00000000 |0……`..B…..|
000000A0 00000000 00000000 00000040 2E627373 |………..@.bss|
000000B0 00000000 30000D58 30000D58 00003678 |….0..X0..X..6x|
000000C0 00000000 00000000 00000000 00000000 |…………….|
000000D0 00000080 2E6C6F61 64657200 00000000 |…..loader…..|
000000E0 00000000 00000B39 00004D58 00000000 |…….9..MX….|
000000F0 00000000 00000000 00001000 00000000 |…………….|