Hello I'm looking into the forensic artefacts of ZFS and came across zpool.cache in /etc/zfs/. Can some wise person confirm my information is correct and help me with some questions? I've had a look through the code on src.opensolaris.org and the On Disk specs (the PDF document ZFS On-Disk Specification) but haven't found the answers yet.
Many thanks for your help Mark INFO * ZFS has a legacy mode where mounts are handled by /etc/vfstab or a default mode where pools are automounted by ZFS. If you use /etc/vfstab and switch off the automatic mount at boot, the ZFS partitions won't be touched unless manually mounted. * zpool.cache appears to be a record of the creation, maintenance and destruction of ZFS pools (spa_config.h). * According to spa_config.h and libzfs_config.c, zpool.cache is part of the SPA layer, made up of nvlist objects. * spa_history.c mentions a history log ring buffer where the creation and subsequent actions to an SPA object are recorded. QUESTIONS * Can someone confirm whether the info above is correct? * How persistent is the information in zpool.cache after zpools have been destroyed? * I'm still looking for a C-struct type definition of the zpool.cache records. Can someone point me in the right direction? * Are there any *other* records left on the host regarding the creation/maintenance/destruction of a ZFS file system? * Where does the SPA history log land on-disk? Is it the zpool.cache of the host, somewhere else on the host or part of vdev label / ZFS file system? * "ZFS On-Disk Specification" is described as a draft, dated 22 August 2006. Is there anything more recent available?
