CEFS Test Instructions

This document is for CEFS version 1.0.8

System requirements


Operating System

Ubuntu Server 20.10 (64-bit only)

Hardware OR Virtual Machine

  • CPU 2.0GHz dual core x86_64

  • RAM 4GB RAM (8GB recommend)

  • DISK 40GB for root and 100 GB for data mounted at /srv/cefs

Windows Network (Optional)


Recommended that you install Samba on the server using:

apt install samba

You can use CEFS with Windows in a variety of ways. There are many configurations here, please choose the one that works for your particular use-case.

Using CEFS as a Simple Network Share (Windows Workgroup)

Please make sure that a share drive is available over NFS or Samba.

Active Directory

When connecting CEFS server via SMB or NFSv4, please make sure that CEFS server is configured to be a domain member.

Installation & Tests


  1. Install CEFS. As per CEFS Installation.

  2. Set the environment variables to point to the CEFS partition and mount directory.

    export CEFS_PARTITION=/dev/sdb1 CEFS_MOUNTDIR=/srv/cefs
  3. [OPTIONAL] Grab test data from https://saf.ai/downloads/beta/test-data

    Now let’s create, destroy, rectify, and analyze!


  1. On client side, navigate to CEFS directory.

  2. Copy or extract the test data in the directory. For example, if you grabbed 200.zip from https://saf.ai/downloads/beta/test-data, you can unzip it in the CEFS directory.

    unzip 200.zip
  3. Once your data is finished copying over, look at your CEFS server and list your recovery points using the below command:

    cefs rectify ${CEFS_MOUNTDIR} show

    This should look something like the following:



    You will notice that as the data copies in, CEFS will automatically create various points of intrest and identify them as sāf or dirty points. These recovery points can be made into backups or permanent recovery points by manually recovering them.

  4. To rescue your data from peril, you simply command CEFS to rectify your mounted directory and your data will be recovered. There is also manual access if a more granular approach is neccesary.

    1. Automatically and immediately rectify your data.

      cefs rectify ${CEFS_MOUNTDIR} now
    2. Manually set up sāf points and rectify from them.

      cefs rectify ${CEFS_MOUNTDIR} memory ${RECOVERY_ID}
      cefs rectify ${CEFS_MOUNTDIR} from
    3. Set up a schedule based on time or number of recovery points done.


      TODO: how to convert a checkpoint into a sāf point via schedule


Method 1:

  1. Manually delete your files

  2. Verify files are not available

Method 2:

  1. Install ransomware of choice. Or download and install from: https://github.com/safai-labs/Python-Ransomware.git


    Procuring ransomware can be dangerous, only use trusted sources!

  2. Verify that your files are no longer accessible.


  1. Run a recovery in dry run mode to see what will be rescued from what point:

    cefs rectify ${CEFS_MOUNTDIR} now --dry-run -v
  2. Run rectify command:

    cefs rectify ${CEFS_MOUNTDIR} now
  3. Your clean data is now available in the mounted directory!

    This should look something like the following:



    Notice that, not only has your data been restored but also your permissions and settings.


  1. You may go into your created recovery point files and analyze how your data looks at a certain point in time.

  2. You may also compare the differences between pre and post attacked data to determine what files were being targeted.

  3. You will notice that the restored data has no traces of the payload. Restoring your data with sāf.ai is like turning back the clock. It does not fix the damaged data it simply removes it from production and gives you back your healthy data.