Web lists-archives.com

Re: Need Help restoring a filesystem on an external drive WD 'My Book'




Hello,
the last bit made me laugh. If the situation is truly dire, you may consider file carving with 'scalpel' or 'foremost', both of which are in the repositories.

$ apt-cache show foremost scalpel
Package: foremost
Version: 1.5.7-6
Installed-Size: 123
Maintainer: Raúl Benencia <rul@xxxxxxxxx>
Depends: libc6 (>= 2.14)
Description-en: forensic program to recover lost files
 Foremost is a forensic program to recover lost files based on
 their headers, footers, and internal data structures.
 .
 Foremost can work on image files, such as those generated by dd,
 Safeback, Encase, etc, or directly on a drive. The headers and
 footers can be specified by a configuration file or you can use
 command line switches to specify built-in file types. These built-in
 types look at the data structures of a given file format allowing
 for a more reliable and faster recovery.
Homepage: http://foremost.sourceforge.net/
Tag: admin::forensics, admin::recovery, hardware::storage,
 interface::commandline, role::program, scope::utility,
 security::forensics, use::scanning
Filename: pool/main/f/foremost/foremost_1.5.7-6_amd64.deb

Package: scalpel
Version: 1.60-4
Installed-Size: 82
Maintainer: Debian Forensics <forensics-devel@xxxxxxxxxxxxxxxxxxxxxxx>
Depends: libc6 (>= 2.14)
Description-en: fast filesystem-independent file recovery
 scalpel is a fast file carver that reads a database of header and footer
 definitions and extracts matching files from a set of image files or raw
 device files.
 .
 scalpel is filesystem-independent and will carve files from FAT16, FAT32,
 exFAT, NTFS, Ext2, Ext3, Ext4, JFS, XFS, ReiserFS, raw partitions, etc.
 .
 scalpel is a complete rewrite of the Foremost 0.69 file carver and is
 useful for both digital forensics investigations and file recovery.
Homepage: http://www.digitalforensicssolutions.com/Scalpel
Tag: admin::forensics, admin::recovery, role::program, scope::utility,
 security::forensics
Filename: pool/main/s/scalpel/scalpel_1.60-4_amd64.deb

Cheers,
Brian


On Tue, 2017-11-28 at 19:48 +0100, Thomas Schmitt wrote:
> Hi,
> 
> arne wrote:
> > and I doubt if I understand what is a 'sparse' superblock
> 
> It's not a bad sign, as it seems:
> 
>   http://www.nongnu.org/ext2-doc/ext2.html#SUPERBLOCK
>   "The first version of ext2 (revision 0) stores a copy at the start of
>    every block group, along with backups of the group descriptor block(s).
>    Because this can consume a considerable amount of space for large
>    filesystems, later revisions can optionally reduce the number of backup
>    copies by only putting backups in specific groups (this is the sparse
>    superblock feature)."
> 
> 
> > Command line: TestDisk /log /dev/sdb
> > ...
> > 1 P partition_map                  1         63         63
> 
> Looks like it recognized a GUID partition table (GPT).
> 
> > 3 P HFS                       262208 1953525151 1953262944
> 
> This would be the ext filesystem's partition.
> The following superuser command establishes a read-only loop device which
> begins at the given block:
> 
>   losetup -o $(expr 262208 '*' 512) -r -f /dev/sdb
> 
> (Contrary to the man page, losetup -f does not tell me the used device path.
>  I have to run
>    losetup -l | fgrep /dev/sdb
>  to learn that it's /dev/loop0.)
> 
> 
> >     Linux                     262208 1953525151 1953262944
> >     ext2 blocksize=4096 Large file Sparse superblock, 1000 GB / 931 GiB
> > recover_EXT2: "e2fsck -b 32768 -B 4096 device" may be needed
> 
> This is probably the normal superblock in that partition.
> But running e2fsck might cause the end of the remaining data in the
> filesystem.
> 
> I'd try to mount the loop device and hope to recover some files.
> When this is queezed out, then maybe a run of e2fsck might recover more
> valid files ... or ruin the filesystem.
> 
> 
> Have a nice day :)
> 
> Thomas
>