[TriLUG] screwed disk

Aaron S. Joyner aaron at joyner.ws
Fri Apr 6 02:49:33 EDT 2007 

Joseph Mack NA3T wrote:
> On Thu, 5 Apr 2007, Alan Porter wrote:
> 
>>> Alan - what are you going to see if you partition / into the swap area -
>>> are you going to see junk directory entries? What if your partition is
>>> short?
>>
>> You will not be able to mount the partition unless the starting point
>> is correct.  Otherwise, you'll see some error message from mount,
>> something like "mount: wrong fs type, bad option, bad superblock
>> on /dev/hda1".
> 
> confirmed
> 
> in the interests of science I partitioned a zip disk into 3 partitions
> (/,swap,/usr) formatted them (ext3, mkswap, ext3), put a couple of
> directories and files into the ext3 partitions, filled the rest of each
> partion with a file from /dev/zero, deleted the zero'ed file, unmounted
> the partions, deleted all the partitions, exited fdisk, re-entered the
> original partition table by hand and confirmed that I could mount all
> the partitions (ro), that all files were there and there was no garbage
> seen with ls in any directory.
> 
> I then confirmed that if I didn't start the partition at the right
> block, I couldn't mount it (Alan's statement).
> 
> If the partition was short or long (by one block) the directories and
> files were all there and there was no garbage listed in the directories
> (all the used inodes are at the beginning of the partition?).
> 
> The interesting piece of information is that if you do df on the mounted
> disk with the long or short partition, that the partition size shown
> (blocks) is the correct one for the original partition and not the size
> of the partition as is in the partition table. So once you have the
> start of the partitions, then you make a rough guess as to the size of
> the partition, then when you mount it, you will see the real size of the
> partition.
> 
> I do my windows backups with dd and I remember that as I restore (with
> dd onto a disk with just the partition table) that as soon as I start
> the restore, that I can mount the disk while I'm dd'ing and see the
> files and directories with ls. All (most?) of the directory information
> must be really early in the partition.
> 
> Joe
> 

All together, Joe and Alan have done an excellent job of summarizing
your recovery options.  Man am I happy, as they saved me a lot of
exposition.  :)  Follow their suggestions and you'll be fine.  If you
ever do something more disastrous that your current mistake, just
remember that /dev/hda itself is a block device, and you can read from
it directly until your heart's content.  Fire up your friendly knoppix
CD, and run `grep 'Your thesis topic' /dev/hda`.  A little surgery with
the -C and other context options of grep can do wonders.  :)  Sure, it's
not perfect, fragmentation, etc, but if it saves the bacon of one person
reading this, it's worth me having typed it.  For a more formal approach
to this idea, which is good for recovering things other than text files,
check out 'foremost'[1].  It's "the foremost opensource forensic tool".
 :)  I've used it on more than one occasion to recovery lost images, etc
from horribly damaged media, dramatically bone-headed user mistakes, etc.

Happy hunting,
Aaron S. Joyner

http://foremost.sourceforge.net/

More information about the TriLUG mailing list