lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 22 Jul 2012 10:20:56 +1200
From:	David Hayes <davemellow@...il.com>
To:	Andreas Dilger <adilger@...mcloud.com>
Cc:	"linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>
Subject: Re: restoring ext3 filesystem overwritten by ext4

On 22/07/2012, Andreas Dilger <adilger@...mcloud.com> wrote:
> On 2012-07-21, at 1:49, David Hayes <davemellow@...il.com> wrote:
>
>> This is a general question about whether it should be possible to
>> effectively undo a mkfs.ext4 on a partition which previously held an
>> ext3 filesystem. I'm just a user, not a developer, so I'm not familiar
>> with the details of where backup superblocks get written etc. I had no
>> luck finding any old filesystem information with testdisk, so I'm
>> wondering whether ext4 might overwrite all the superblocks by
>> coincidence of choosing the same blocks in the partition to write them
>> as mkfs.ext3 did, or something.
>
> Yes, though it is no coincidence. For the same filesystem size, the same
> superblocks will be used. It is likely that different group descriptor
> blocks would be used, because of flex_bg. If you have a newer kernel it is
> possible the inode tables were not zeroed out, which would otherwise have
> clobbered a large part of the data.
>
>> If the answer to the above is "yes" I'll respond with more specific
>> details if required.
>
>
> First thing - do NOT mount the filesystem. Make a copy of the whole
> partition using "dd" for experimentation.  If the ext4 filesystem has never
> been mounted, there is at least some chance the data can be recovered.
>
> Unfortunately, the new group descriptors will be in the same place as the
> old ones. It is necessary to do something like "mke2fs -t ext3 -S" to
> rebuild the old group descriptors and then run "e2fsck -fy" to see if there
> is anything in the inode tables to recover.
>
> Cheers, Andreas

Thanks for the reply Andreas. Unfortunately the filesystem was mounted
after it was made and some data written to it. Also I mounted it at
least once subsequently, as that would have been the first time I
found the wrong partition had been used. Does that mean that there is
no chance of recovering the old filesystem? If so I will just focus on
forensic recovery of the files.

It looks like the kernel was 2.6.32-220.el6.i686. Is that new enough
so that the old inode tables would not be zeroed?

Thanks for your help.

Regards, David.
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists