Re: Need Help restoring a filesystem on an external drive WD 'My Book'
- Date: Tue, 28 Nov 2017 20:18:55 +0100
- From: "Brian J. Oney" <brian.j.oney@xxxxxxxxxxxxxx>
- Subject: Re: Need Help restoring a filesystem on an external drive WD 'My Book'
the last bit made me laugh. If the situation is truly dire, you may consider file carving with 'scalpel' or 'foremost', both of which are in the repositories.
$ apt-cache show foremost scalpel
Maintainer: Raúl Benencia <rul@xxxxxxxxx>
Depends: libc6 (>= 2.14)
Description-en: forensic program to recover lost files
Foremost is a forensic program to recover lost files based on
their headers, footers, and internal data structures.
Foremost can work on image files, such as those generated by dd,
Safeback, Encase, etc, or directly on a drive. The headers and
footers can be specified by a configuration file or you can use
command line switches to specify built-in file types. These built-in
types look at the data structures of a given file format allowing
for a more reliable and faster recovery.
Tag: admin::forensics, admin::recovery, hardware::storage,
interface::commandline, role::program, scope::utility,
Maintainer: Debian Forensics <forensics-devel@xxxxxxxxxxxxxxxxxxxxxxx>
Depends: libc6 (>= 2.14)
Description-en: fast filesystem-independent file recovery
scalpel is a fast file carver that reads a database of header and footer
definitions and extracts matching files from a set of image files or raw
scalpel is filesystem-independent and will carve files from FAT16, FAT32,
exFAT, NTFS, Ext2, Ext3, Ext4, JFS, XFS, ReiserFS, raw partitions, etc.
scalpel is a complete rewrite of the Foremost 0.69 file carver and is
useful for both digital forensics investigations and file recovery.
Tag: admin::forensics, admin::recovery, role::program, scope::utility,
On Tue, 2017-11-28 at 19:48 +0100, Thomas Schmitt wrote:
> arne wrote:
> > and I doubt if I understand what is a 'sparse' superblock
> It's not a bad sign, as it seems:
> "The first version of ext2 (revision 0) stores a copy at the start of
> every block group, along with backups of the group descriptor block(s).
> Because this can consume a considerable amount of space for large
> filesystems, later revisions can optionally reduce the number of backup
> copies by only putting backups in specific groups (this is the sparse
> superblock feature)."
> > Command line: TestDisk /log /dev/sdb
> > ...
> > 1 P partition_map 1 63 63
> Looks like it recognized a GUID partition table (GPT).
> > 3 P HFS 262208 1953525151 1953262944
> This would be the ext filesystem's partition.
> The following superuser command establishes a read-only loop device which
> begins at the given block:
> losetup -o $(expr 262208 '*' 512) -r -f /dev/sdb
> (Contrary to the man page, losetup -f does not tell me the used device path.
> I have to run
> losetup -l | fgrep /dev/sdb
> to learn that it's /dev/loop0.)
> > Linux 262208 1953525151 1953262944
> > ext2 blocksize=4096 Large file Sparse superblock, 1000 GB / 931 GiB
> > recover_EXT2: "e2fsck -b 32768 -B 4096 device" may be needed
> This is probably the normal superblock in that partition.
> But running e2fsck might cause the end of the remaining data in the
> I'd try to mount the loop device and hope to recover some files.
> When this is queezed out, then maybe a run of e2fsck might recover more
> valid files ... or ruin the filesystem.
> Have a nice day :)