@attrc Just tested it on my Yosemite box and it worked fine. I've done it on Linux too-- though there you can just use /proc/<pid>/exe
2
2
@attrc Hadn't looked at the pastebin-- but, yes, I just tested recovering deleted binary from a deleted directory with lsof/icat/Yosemite
1
@hal_pomeranz ah nice. Can you pastebin istat on the file and it's directory ?
1
@hal_pomeranz ok, can you also istat /dev/rdisk1 6581178 ? Curious if Mac is keeping the file allocated or not
1
@attrc Whoops! Here's a more complete paste with istat output - pastebin.com/zPb6Wjjr - istill allocated as long as the process is running
1
1
2
@hal_pomeranz thanks, weird that it differs from Linux, but good since no /proc equivalent that I know of
2
@attrc Interesting. EXT4 shows the inode as allocated but the size and extents are zeroed when the file is unlinked. This could be a bug.
1
@hal_pomeranz run sync and try again. Caching was messing up my results without running sync over and over
1
@hal_pomeranz I saw that after rm but before sync then after sync it was shown as unallocated
1
@attrc Might be a TSK bug-- debugfs works pre-sync, but istat/icat borked until sync performed- pastebin.com/Ca4f00zc
Feb 8, 2015 · 8:35 PM UTC
1