hoakley May 9, 2020 Macs, Technology

How to check the integrity of files in a Time Machine backup

It turns out that you can check the integrity of the files in your Time Machine backups after all, so long as you’re running El Capitan or later. This isn’t offered in its application or preference pane, though, and I’m not sure what to make of it in Terminal either.

According to the man page for tmutil, the command
tmutil verifychecksums path
computes a checksum for each item in the path specified at path, and compares that with the checksum made at the time of that backup and stored in its data. If they match, it doesn’t return anything. When it finds a checksum which doesn’t match, that’s reported in a simple list of errors. The first snag is the report format: the man page claims that two different errors can be reported:

! means that “the file’s current checksum does not match the expected recorded checksum”, and
? means that “the file’s recorded checksum is invalid”.

This means that checksum comparison can return one of not two results, but one of three, which is puzzling to me. I’m not sure how the second type of error can be identified, except when the file’s current checksum doesn’t match the recorded checksum, which is surely the first type of error?

The man page doesn’t state it, but this command must be run with elevated privileges. So armed with
sudo tmutil verifychecksums /Volumes/ThunderBay2HFS/Backups.backupdb/Howard’s\ iMac\ Pro/2020-05-08-073609
and the like, I checked a couple of my recent TM backups.

Even quite small backups take a long time – several minutes for 140 GB – to check. You can refine the path to be checked to specify individual folders within the backup, but the thought of using this on a terabyte or more of backups isn’t appealing.

You may also be less than impressed with the result. It doesn’t tell you how many items it checked, nor how many were missing checksums. All it does is list files in that backup which don’t match their checksums. In one backup, it reported two:
! /Volumes/ThunderBay2HFS/Backups.backupdb/Howard’s iMac Pro/2020-05-08-073609/External1/Documents/0newDownloads/PrivateDocuments1.sparsebundle/bands/0 ! /Volumes/ThunderBay2HFS/Backups.backupdb/Howard’s iMac Pro/2020-05-08-073609/External1/Documents/0newDownloads/PrivateDocuments1.sparsebundle/bands/ee
which are bands in an encrypted sparse bundle, stored in a recent backup on a local SSD. So what can I do now to address this failed integrity check? I can’t tamper with the backup itself to try to fix those files, nor can I force them to be backed up again. Nor do I know whether the original is also damaged, nor the cause.

All this does is demonstrate my original point: backups can silently become corrupt for no apparent reason. File integrity needs to be taken more seriously, something which macOS doesn’t currently address.

Postscript

Thanks to John (see his comment below) for discovering that Time Machine records these checksums in an extended attribute added to each file which it backs up. The xattr type is com.apple.finder.copy.source.checksum, and it’s given a flag #N which means that it’s stripped when the file is copied between volumes, such as when you restore the file.

It contains a 4 byte integer, which I would have presumed was a CRC32, but on checking the CRC32 for the data fork of backed up files, that isn’t the same as the checksum stored in the xattr. Neither does it appear to be an Adler32. This means that you can’t check the checksum manually either.

It does therefore make sense to have a ‘checksum invalid’ error, but there’s another error code which is missing: ‘checksum not present’. Ho hum.

21Comments

Add yours

1

EcleX on May 9, 2020 at 8:50 pm

“File integrity needs to be taken more seriously, something which macOS doesn’t currently address”.

Is there any application to take care of that? Thanks.

LikeLiked by 1 person
- 2
  
  hoakley on May 9, 2020 at 9:07 pm
  
  Thank you: you may not be surprised to learn that I have two apps, with a command tool coming shortly. CCC does offer integrity checks – please see its documentation. Some other third-party backup apps may also support integrity checking.
  Please see my product page here, which has the full series of articles on the subject.
  Howard.
  
  LikeLike
3

EcleX on May 9, 2020 at 9:57 pm

Many thanks! Is it also possible to repair such damaged files, or is that impossible beyond replacing them with a good backup copy?

LikeLiked by 1 person
- 4
  
  hoakley on May 9, 2020 at 10:10 pm
  
  That’s the fundamental problem: there’s nothing in macOS, HFS+ or APFS which supports the testing of file integrity, or error-correction. You can use RAID level 6 which should perform error correction automatically, provided of course that the backup software backs the files up without error in the first place. There’s also Parchive Par2 ECC available in one free app for macOS. Beyond that, it’s a matter of finding an undamaged copy yourself.
  Howard.
  
  LikeLike
  - 5
    
    EcleX on May 10, 2020 at 7:38 am
    
    Thanks. Where is Parchive Par2 ECC? I cannot find it searching sites like Macupdate. Thanks.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on May 10, 2020 at 7:42 am
      
      Look in the articles listed on my Dintch page at error-correction. It’s all there.
      Howard
      
      LikeLike
  - 7
    
    EcleX on May 14, 2020 at 11:24 am
    
    Thanks. Do you mean that MacPAR deLuxe
    https://gp.home.xs4all.nl/Site/MacPAR_deLuxe.html
    can repair such damaged files?
    
    LikeLiked by 1 person
    - 8
      
      hoakley on May 14, 2020 at 11:27 am
      
      Only if you save them as a Parchive first. Then it can – with remarkable results.
      Howard.
      
      LikeLike
9

John Gilbert on May 10, 2020 at 12:15 am

? means that “the file’s recorded checksum is invalid”

I take that to mean that the recorded checksum is in some way not a possible checksum and so can’t be checked. Which brings me to my question:

Where are the checksums stored?

Look and you shall find! Using xattred (thanks for that!), I can see that the checksum for each file is stored in a 4 byte extended attribute.

And, so if the attribute was, for example, only 3 bytes that would be a case of ” “the file’s recorded checksum is invalid”.

And that is where I started this comment.

Thanks you for a most useful article from which I learnt something new in quick time.

LikeLiked by 1 person
- 10
  
  hoakley on May 10, 2020 at 7:43 am
  
  Brilliant thank you – more later.
  Howard
  
  LikeLike
- 11
  
  hoakley on May 10, 2020 at 9:54 am
  
  Thank you again – I have added a postscript with more details, and a credit.
  Howard.
  
  LikeLike
12

Milo on May 10, 2020 at 9:42 am

That is an interesting find about tmutil. I knew about this feature, but I assumed it only worked for backups to sparse bundles over the network. When you alt-click on the Time Machine icon in the menu bar, there is even an entry for “Verfiy Backup”. But it’s only enabled for network destinations.

I would sleep much better if Time Machine had a good way to verify backups. I’m hoping Apple is already working on an APFS enabled solution for external backups. Possibly something similar to what ZFS and Btrfs have to offer with snapshots that can be sent to other devises for backup or archiving.

Regarding APFS and checksums, some Apple engineers have commented on why this feature was implemented for metadata but not the data itself:

http://dtrace.org/blogs/ahl/2016/06/19/apfs-part5/

The argument seems to be, that most storage devices and interfaces already have Error Correction baked in for data in transit as well as stored data. Therefore data corruption should be a very rare, detectable and in many cass even a correctalbe problem.

Of course the above does not guarantee that the correct files have been copied to the backup at the given time. There could also be bugs in Time Machine’s logic which files to copy or update or funny things could happen to the large files structure on current HFS+ backups.

LikeLiked by 1 person
- 13
  
  hoakley on May 10, 2020 at 9:59 am
  
  Thank you.
  Well, I have already in one simple test demonstrated that using only SSDs and Apple’s file systems, and Time Machine, my backups have two file integrity errors. Those have passed undetected until I was researching this article, unreported by Time Machine, and now uncorrectable.
  So ignore all claims that file integrity isn’t a problem – they’re wildly optimistic, as we all still know.
  Banking on everything working perfectly isn’t a good way to deal with valuable and important documents.
  Howard.
  
  LikeLike
14

Bob on May 15, 2020 at 12:18 pm

“Therefore data corruption should be a very rare, detectable and in many cass even a correctalbe problem.”

That would be true if all of the pieces worked together, but they don’t. Over the years I have had a few external SATA storage enclosures fail, and the system happily returns bad data. In this situation, I can checksum the same file over and over, and keep getting a different result. The only clue is a “Buffer underrun” message in the log.
My data is important to me, (mostly static data such as photos, videos, and PDF documents) so I take my own measures to protect the main library as the authoritative source, which I’ll describe here.
1. All data has two backups, and all three copies (primary and two backups) are checksummed.
2. Any data copying requires checksum verification. For example, let’s say I’m pulling a home movie off my camera. Schematically the process looks like this:
$ cat /Volumes/camera/video | tee /Volumes/destination | checksum > a
$ rsync primary backup1
$ rsync backup1 backup2
$ sudo purge # clear buffer cache
$ checksum /Volumes/destination > b
$ checksum backup1 > c
$ Checksum backup2 > d
$ sort -u a b c d | wc -l # if the checksums match this should return 1
$ store b c d # store checksums for the three copies

At this point you might ask, is this really necessary? Yes, because of bitrot. From time to time I scan the entire file system (40+ TB) and it will return a few bad checksums. When this happens, I manually checksum the suspected bad file. There are 1 of two outcomes:
1. The manual checksum is correct; file is fine, just a mis-read during the FS scan
2. The manual checksum is incorrect; need to re-write the file on that volume

It might interest you to know that I have had this happen on Seagate drives, but not Western Digital. You might also ask, why don’t I just use RAID for checksum protection, and also save space since I won’t need 3-times the raw storage in my method. Several reasons:
1. RAID doesn’t protect you from a filesystem corruption. And they can corrupt. So if I suffer a file system corruption, I have two other independent copies. I can name the volume label on one of the copies to be primary, and I’m back in business. Then use the remaining copy to rebuild the secondary backup in the background.
2. rsync is platform-agnostic; it doesn’t care what the target storage is. So it could be a different drive geometry, different file system, different OS. Doesn’t matter.

Like I said, my data is important to me, so I use the tools at hand to build a better way. So far as Time Machine goes, I do use it on an external TM drive that I plug in from time to time (because I share the drive with several systems, and TM network backups are nothing but trouble.) But I also rsync my home directory to the main library, which means it has another two backup copies there. So the recovery process would be to use TM to recover the system, then rsync the home directory back, as the latest copy.

LikeLiked by 1 person
- 15
  
  hoakley on May 15, 2020 at 4:28 pm
  
  I agree completely – and that’s what the thrust is of this and other articles about file integrity.
  Has it never struck you that having to maintain such a complex system with at least three copies of every important file is perhaps inefficient? That maybe macOS or something else should be taking more care of this work itself, perhaps?
  Howard.
  
  LikeLike
16

Bob on May 15, 2020 at 7:29 pm

Hoakley, I wholeheartedly agree that the system should take care of this for us, but the facts on the ground are that it does not. Heck, even Apple’s software RAID wouldn’t tell me if a drive failed/went off line. I’d have to ask it on an interval. Then I got smarter about more reliable redundancy and moved away from RAID. And for those who might think I’m paranoid about filesystem corruptions, it just happened to me for the Time Machine drive, about 2-3 weeks ago. It’s enclosure failed in a way that was recoverable, but it left the file system in a read-only unrecoverable state. So much for journaled file systems. The lesson for everyone here is that no matter how good the file system, the entire stack down to the hardware has to work right or all bets are off. So my method provides redundancy down to the hardware level.

And from a cost perspective, I think it’s a wash. What I paid for my storage would be about the same price of a multi-bay enclosure, with no drives. Meaning, my method is half the price, and I get a commodity component system. The multi-bay enclosure has an internal hub for the USB or thunderbolt connection. When that goes bad, either you won’t be able to buy the part and you’ll have to chuck the whole thing, or you’ll get the part, but it will be expensive. Meanwhile I bought Amazon Basics 10-port hubs for about $40. If a hub fails, I go to the basement and get another one and I’m back in business in a few minutes. If a drive fails, same procedure, and no data is offline during recovery, because I just have to rename one of the backup drives.

I have put a lot of thought into this. But is it more work? Yes. Although automation is your friend. Even if you have RAID, the last time I checked, checksums don’t help if you don’t actually READ the data (meaning data at rest that is infrequently accessed.) So it’s wise to read the whole thing just to see what happens. But if you had a bad file, not much you could do without a backup of that file. I see some people do things like gang together 4x8TB drives into a single file system and since it’s so big, no backup, just rely on RAID. That’s a ticking time bomb.

But I think this is where technology fails society. The average customer shouldn’t have to understand so much about good librarianship to preserve their data. The reason we have so many photos from the civil war is because someone’s grandmother/father died and photos were found in a kitchen drawer, shoebox, etc. Thanks to digital, those days are gone. (The irony here being that the printed photos will have more longevity.) Digital data preservation takes a lot more thought, and it shocks me how many people don’t even take regular backups, but are upset when the data disappears.

LikeLiked by 1 person
- 17
  
  hoakley on May 15, 2020 at 8:15 pm
  
  Thank you, Bob. You’re writing much the same as I have in these articles. But I don’t see that such an elaborate solution should be necessary – there are methods like ECC which are designed to cope with these types of problems without such massive redundancy.
  Howard.
  
  LikeLike
18

Milo on May 16, 2020 at 7:10 am

To make it clear. I wasn’t definding Apple’s stance on the matter. I’m also of the opinion, that data integrity should be better taken care of in macOS. Otherwise I wouldn’t read articles on the topic or even comment on them 🙂

Knowing the shortcomings of macOS I myself use a combination of Time Machine, off-site backups with Arq and irregular archiving of less important data using rsync on external media. I’m happy enough with my current setup although I’m always interested in learning about better and easier ways to manage backups, archiving and file integrity. I also recognize that file integrity is definitely a weak point in my current strategy.

I really like your tools Dintch and Fintch for this reason and will try them soon. Storing file digests as extended attributes is a very elegant solution. It’s probably not a good solution to manage file integrtiy of data that is managed by some applications though. I’m thinking here about the Photos.app and the Photos Library folder. If I recall correctly you already wrote something about this topic in the past.

LikeLiked by 1 person
- 19
  
  hoakley on May 16, 2020 at 8:41 am
  
  Thank you – I’m delighted that we’re on the same sheet.
  Howard.
  
  LikeLike
20

ralf b on December 6, 2020 at 10:42 am

Thank you for the article. I recently stumbled over the option in the tmutil man-page and quickly asked myself what I can do about the information provided.
As far as I know backups to APFS are silently supported now as of macOS 11.
I use alternating backups on different HDs to decrease the chance of data loss.

As an alternative to Bob’s suggestion and to keep the “low hassle” approach of TimeMachine in the first place, i suggest this strategy:
occasionally (e.g. once per month) scrub backups with a command like this
sudo tmutil verifychecksums /Volumes/myAPFSBackupVolume/2020-12-06-034715.previous/ > /Users/Shared/backupstatus/myAPFSBackupVolume/ChecksumOutput20201206.txt

The path might look different for my HFS+-Volume.
As I have two independent copies, I would try to recover files with broken checksums from the other backup volume or from live data in case the file still exists there and is intact.

Unfortunately, there is no way to force TimeMachine to take a fresh copy of the file in question, so I would create an additional directory on one of my main disks (like /Users/Shared/Recovered Files) to store intact copies of the file that was destroyed in one backup, thus creating fresh copies of affected files.

While this isn’t perfect, it addresses some shortcomings of TimeMachine while generally preserving the comfort of automatic backups.
It also avoids the need of connecting more the one backup HD at once thereby reducing the risk of disasters that could destroy multiple backups at once.

This clearly is a stopgap measure until Apple integrates such functionality into their TimeMachine workflow.
It would take them less trouble to occasionally verify the checksums and at least try to take a fresh copy of unchanged files. Its a shame APFS didn’t inherit more of Zfs’s features.

(Having said that, I did lose a bunch of data due to the use of early and instable versions of zfs on mediocre hardware.)

Regards and thanks again,
ralf

LikeLiked by 1 person
- 21
  
  hoakley on December 6, 2020 at 6:42 pm
  
  Thank you.
  For the moment, I wouldn’t recommend this with Time Machine backups to APFS, as the format is new and experience with it extremely limited. You could easily end up doing more harm than good.
  Howard.
  
  LikeLike

·Comments are closed.

Share this:

Like this:

Related