After parted trashed my disk, what next?

If none of the more specific forums is the right place to ask

After parted trashed my disk, what next?

Postby MatthewExon » 2006-02-05 18:57

Hi,

I'm sorry to be posting this here, it's probably the wrong forum, but I haven't been able to find any forum for general questions about recovering data from corrupted disks. Please let me know if I should go somewhere else.

Yesterday I tried to use parted to shrink and move my 160GB ext3 partition on my disk to make room for a 6GB Windows 2000 install. Unfortunately, parted segfaulted when I tried that, and I believe that's the reason my machine won't boot any more:

Code: Select all
hda: max request size: 1024KiB
hda: 312581808 sectors (160041 MB) w/2048KiB Cache, CHS=19457/255/63, UDMA(33)
hda: cache flushes supported
 /ev/ide/host0/bus0/target0/lun0: p1 p2 < p5 >
EXT3-fs error (device hda1): ext3_check_descriptors: Block bitmap for group 1152 not in group (block 942683700)!
EXT3-fs: group descriptors corrupted !
cramfs: wrong magic
EXT3-fs error (device hda1): ext3_check_descriptors: Block bitmap for group 1152 not in group (block 942683700)!
EXT3-fs: group descriptors corrupted !
pivot_root: No such file or directory
/sbin/init: 432: cannot open dev/console: No such file
Kernel panic - not syncing: Attempted to kill init!


I fired up Recovery Is Possible (RIP), and tried e2fsck (yes yes, I know I shouldn't) but it refused to recognise the partition at all. I also tried using e2retrieve to put whatever it could on an NFS drive, but after running for three hours it did this:

Code: Select all
99.24% (7/70/2440372 different superblocks, 94241 dir. stubs) 829128282:57:35/8
99.25% (7/70/2440577 different superblocks, 94241 dir. stubs) 829128282:57:36/8
99.26% (7/70/2440775 different superblocks, 94241 dir. stubs) 829128282:57:37/8
99.27% (7/70/2441049 different superblocks, 94243 dir. stubs) 829128282:57:38/8
99.28% (7/70/2441377 different superblocks, 94243 dir. stubs) 829128282:57:39/8
99.29% (7/70/2441581 different superblocks, 94244 dir. stubs) 829128282:57:40/8
99.30% (7/70/2441783 different superblocks, 94244 dir. stubs) 829128282:57:41/8
100.00% (7/70/2441351 different superblocks, 94291 dir. stubs)

Scan finished

Superblocks:
 #1 (155131640 Ko) : copy 0 1 3 5 7 9 25 27 49 81 125 243 343 625 729
 #2 (155131640 Ko) : copy 0 0 0 0
 #3 (155131640 Ko) : copy 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 #4 (155131640 Ko) : copy 0
 #5 (155131640 Ko) : copy 0 0
 #6 (155131640 Ko) : copy 0 0
 #7 (155131640 Ko) : copy 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 #8 (60000 Ko) : copy 0 1 3 5 7
Superblock #7 has been choose.

*** glibc detected *** double free or corruption (!prev): 0x0805b428 ***
Aborted


I also tried gpart, but it looks to me to have guessed wrong:

Code: Select all
Begin scan...
Possible partition(DOS FAT), size(6495mb), offset(145000mb)
Possible extended partition at offset(151495mb)
   Possible partition(Linux swap), size(1129mb), offset(151495mb)
End scan.

Checking partitions...
Partition(DOS or Windows 95 with 32 bit FAT, LBA): primary
Partition(Linux swap or Solaris/x86): primary
Ok.

Guessed primary partition table:
Primary partition(1)
   type: 012(0x0C)(DOS or Windows 95 with 32 bit FAT, LBA)
   size: 6495mb #s(13301820) s(296961525-310263344)
   chs:  (1023/254/63)-(1023/254/63)d (18485/0/1)-(19312/254/63)r

Primary partition(2)
   type: 130(0x82)(Linux swap or Solaris/x86)
   size: 1129mb #s(2313296) s(310263408-312576703)
   chs:  (1023/254/63)-(1023/254/63)d (19313/1/1)-(19456/254/62)r

Primary partition(3)
   type: 000(0x00)(unused)
   size: 0mb #s(0) s(0-0)
   chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Primary partition(4)
   type: 000(0x00)(unused)
   size: 0mb #s(0) s(0-0)
   chs:  (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r


So as far as I can tell, nothing actually works here. Nevertheless, I'm convinced that there must be a way to retrieve most of my data. e2retrieve is finding things that look like superblocks. GRUB is finding the kernel image. I can certainly see most of my data with strings.

So does anyone have any suggestions? At this point I'm perfectly willing to shell out some money for a commercial solution: but I'm only willing to do that if they can do better than the free solutions above. If anyone has some positive experiences with the various commercial offerings advertised on Google, I'm willing to give it a go. Most of them look pretty dodgy though :-(
MatthewExon
 

Postby dawgie » 2006-02-05 20:04

The Knoppix Hacks book has a chapter or two on recovering data from damaged drives using computer forensics tools.

You need lots of free space on another drive. You cannot recover the data on the corrupted drive and copy it to the corrupted drive.

Before you change the partitions on a drive you should save the old (good) partition table on a floppy.

You might want to try gpart:
www.linux.org/apps/AppId_2496.html
User avatar
dawgie
 
Posts: 431
Joined: 2004-06-16 21:30
Location: New Hampshire USA

Postby MatthewExon » 2006-02-06 07:28

Do you have any particular reason to believe that the stuff in Knoppix Hacks is likely to help me here?

I already did try gpart (you'll notice that I included the output of the tool in my original post), but it appears to have guessed wrong. I also tried e2retrieve, but as far as I can tell I hit a bug in the program. I spent a lot of time on the net looking for suitable tools, but couldn't find anything more likely than those.

If there are any other tools in Knoppix that might help me here, please let me know what they are. I don't really want to shell out $30 for a book that only tells me things I already know.
MatthewExon
 

Postby bluesdog » 2006-02-06 08:36

This looks like it could be useful.

Also, you might have some luck with the systemrescue live cd, available here

You'll probably have to transfer data to another hard drive, dvds/cds, or to another computer over a local network

Good luck
User avatar
bluesdog
 
Posts: 2082
Joined: 2006-02-01 09:02
Location: Similkameen, British Columbia, Canada

Postby Guest » 2006-02-07 10:57

I hadn't heard of LDE: thanks! It looks like this is on my RIP CD that I've got at home, so I'll try that out. I'm not too optimistic though: my superblock is corrupted, so chances are it'll barf straight away.

I'm not too thrilled by SystemRescue CD: that's what I was using when I broke my hard drive in the first place. It seems to be using version 1.6.23 of parted, whereas RIP has version 1.6.24.

Luckily, for the first time in my life when I've tried to recover from this kind of thing, I actually have a network drive available with enough space to hold the results (although, unfortunately, not enough space to hold an image of the entire filesystem). So I might actually be able to do this "properly".
Guest
 

Postby dawgie » 2006-02-07 15:56

The Knoppix hacks book has a section on using the Coroner's Toolkit.

The coroner's toolkit has some tools that may be useful to you:
# apt-get install tct

grave-robber - the main data gathering program.
It runs the following programs:
file - Ian Darwin's file command
icat - copies a file by inode number.
ils - list file system inode information.
lastcomm - a portable lastcomm command
mactime - the M, A, C time file system reporter.
md5 - the RSA MD5 digital signature tool.
pcat - copies the address space of a running process.


unrm - uncovers unallocated blocks from a raw Unix file system.
Lazarus - attempts to resurrect deleted files or data from raw data

It can be a painstaking process. The problem is that you will be sorting through lots and lots of deleted files. The data recovery companies charge a rate of up to $10 per word for recovered documents.
User avatar
dawgie
 
Posts: 431
Joined: 2004-06-16 21:30
Location: New Hampshire USA

Postby MatthewExon » 2006-02-10 07:58

Success! I'm back in business.

In the end e2fsck did the trick, but there was some weirdness that had to be overcome first. e2fsck /dev/hda1 wouldn't work, but when I added the argument "-b 0" it suddenly did. According to dumpe2fs, block 0 was the main superblock. None of the backup superblocks worked. So I'm a bit confused as to what was going on here.
MatthewExon
 


Return to General Questions

Who is online

Users browsing this forum: No registered users and 10 guests

fashionable