| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 22 Jul 2012 10:20:56 +1200 From: David Hayes <davemellow@...il.com> To: Andreas Dilger <adilger@...mcloud.com> Cc: "linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org> Subject: Re: restoring ext3 filesystem overwritten by ext4 On 22/07/2012, Andreas Dilger <adilger@...mcloud.com> wrote: > On 2012-07-21, at 1:49, David Hayes <davemellow@...il.com> wrote: > >> This is a general question about whether it should be possible to >> effectively undo a mkfs.ext4 on a partition which previously held an >> ext3 filesystem. I'm just a user, not a developer, so I'm not familiar >> with the details of where backup superblocks get written etc. I had no >> luck finding any old filesystem information with testdisk, so I'm >> wondering whether ext4 might overwrite all the superblocks by >> coincidence of choosing the same blocks in the partition to write them >> as mkfs.ext3 did, or something. > > Yes, though it is no coincidence. For the same filesystem size, the same > superblocks will be used. It is likely that different group descriptor > blocks would be used, because of flex_bg. If you have a newer kernel it is > possible the inode tables were not zeroed out, which would otherwise have > clobbered a large part of the data. > >> If the answer to the above is "yes" I'll respond with more specific >> details if required. > > > First thing - do NOT mount the filesystem. Make a copy of the whole > partition using "dd" for experimentation. If the ext4 filesystem has never > been mounted, there is at least some chance the data can be recovered. > > Unfortunately, the new group descriptors will be in the same place as the > old ones. It is necessary to do something like "mke2fs -t ext3 -S" to > rebuild the old group descriptors and then run "e2fsck -fy" to see if there > is anything in the inode tables to recover. > > Cheers, Andreas Thanks for the reply Andreas. Unfortunately the filesystem was mounted after it was made and some data written to it. Also I mounted it at least once subsequently, as that would have been the first time I found the wrong partition had been used. Does that mean that there is no chance of recovering the old filesystem? If so I will just focus on forensic recovery of the files. It looks like the kernel was 2.6.32-220.el6.i686. Is that new enough so that the old inode tables would not be zeroed? Thanks for your help. Regards, David. -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists