| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Feb 2012 16:29:53 +0000 (GMT)
From: Rudolf Zran <rudolfzran@...oo.com>
To: "linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>,
"debian-user@...ts.debian.org" <debian-user@...ts.debian.org>
Subject: Restoring filenames from partly damaged ext4-filesystem
Hi everybody!
I recently damaged an ext4 partition by accident (mistakenly forced
a RAID sync with another partition onto it, which I realized after
about 3% completion). As a result the beginning of the ext4 partition
seems to be overwritten with garbage and refuses to mount.
As you might guess, I'd now like to get as most of my data back (from
the part which hasn't been overwritten, of course :)).
Maybe somebody knows a good method to just "repair" the ext4-structure
from the remaining part of the partition?
Background information:
Operation system: Debian GNU/Linux 6.0.4 (Squeeze)
Kernel: Linux 2.6.32-5
Architecture: x86-amd64
e2fsprogs: 1.41.12
Filesystem type: ext4, with default settings (mkfs.ext4 /dev/xyz)
Filesystem size: Around 1TB, filled with around 800GB of data.
Filesystem content: From a lot of ASCII stuff up to files with several
GB in size and arbitrary non-standard type.
What I've tried so far:
* First of all, though the source drive is physically fine, I work on
images of the partition on a spare drive, to experiment with. Everytime
I make unrecoverable errors to that image, I recopy the original.
* "dumpe2fs -b $SBERR /dev/loop0" does NOT work, for SBERR={32768, 98304,
163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000,
7962624} ( see https://pzt.me/1l55 )
* "dumpe2fs -b $SBOK /dev/loop0" DOES (partly) work, for SBOK={11239424,
20480000, 23887872, 71663616, 78675968, 214990848} ( see https://pzt.me/6txz )
* "mkfs.ext4 -S /dev/loop0" results in a completely empty filesystem
* "fsck.ext4 -b $SBOK -B 4096 -v -n /dev/loop0" shows a lot of errors.
Filesystem isn't mountable afterwards ( see https://pzt.me/42yk and
https://pzt.me/3frg )
* "fsck.ext4 -b $SBOK -B 4096 -v -y /dev/loop0" recoveres after a long time.
Filesystem is mountable. Root is empty besides lost+found folder, which
contains about 300GB mostly useless data: Millions of files with wrong
permissions, useless names and some random content.
* photorec from the testdisk package recoveres, luckily!, about 500GB of
data. Though the content seems to be pretty reasonable, no filenames
are recovered, since photorec operates without using filesystem knowledge.
Do you see any chances (besides consulting professional recovery companies)
getting the filenames back? I looked into the ext4 specs a bit to figure out
where this information is stored on disk, but before I step with hexedit
through a terabyte of data, I'd rather try some solutions which are maybe
already out there.
Any help is appretiated.
Thanks in advance, Rudolf.
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists