LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 05-22-2007, 05:50 AM   #1
SCerovec
Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware x86 and ARM and Porteus
Posts: 655

Rep: Reputation: 45
Unhappy ext2fs drama: i-node destroyed by mke2fs


All the file recovery documents i could find cover the ideal circumstance cases of file recovery...

I have a real-life situation with a worst-case scenario:

I have a ex2fs partition in a file (eg. part.img)

1. formatted
2. populated
<all ok, but problems start here...>
3. formatted (by mistake :-( )
<i need the files back, especially a 'file.odt'>
4. directory structure can be recovered somehow
5. all i-node information is bad (due to mke2fs's pass?)

How do I get my file(s).
I can see the data of the most important file (found the mime-magic string on the parttition) with lde ( version 2.6.1)

Is there a way to recover a destroyed i-node?
Is there a way to recover that single .odt file from that partition?
Is there a un-mke2fs tool?
Is there a better-than-lde ext2fs editor?

How are the file-blocks scattered on the partition after a copy (all the files where cp-ed in a single pass)? are they sequential?

Please, do post only examples that are real-life tested, as I already did all kind of tests from various howto-s that did only fail miserably. :-(
The kernel i 2.6.13.17, distro is slackware, the copy was done with konqueror.

I'm a lde newbie, just for the record, but have some basic experience with hex-editors.
 
Old 05-22-2007, 06:08 AM   #2
Samotnik
Member
 
Registered: Jun 2006
Location: Belarus
Distribution: Debian GNU/Linux testing/unstable
Posts: 471

Rep: Reputation: 40
Try sleuthkit package.
 
Old 05-23-2007, 11:23 AM   #3
SCerovec
Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware x86 and ARM and Porteus
Posts: 655

Original Poster
Rep: Reputation: 45
I will after I try foremost first,...
Did You try sleuthkit? Once I tried, I got lost among the configurations (case, ...)
Honestly, It looked a little bit over-done...
And later on ccorr
 
Old 05-24-2007, 05:03 AM   #4
SCerovec
Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware x86 and ARM and Porteus
Posts: 655

Original Poster
Rep: Reputation: 45
I did it finally.

Early in the morning (~0200am) I managed to carve the .odt file.

I had to edit the foremost.conf file:
I added a new line with the odt's file 'magic' for the footer and header...
I found the info in /etc/file/magic* and in two similar .odt files.

Then I ran foremost without the -t parameter and got the file finally. I spent some more time to make a script that takes required input via kdialog and plan to post it ASAP here...

I still plan to try to carve the fragmented png files if possible too.
 
Old 05-29-2007, 12:07 PM   #5
St.John
LQ Newbie
 
Registered: May 2007
Posts: 5

Rep: Reputation: 0
Configuring foremost

How can you edit the foremost.conf file (and where should I find it, is it the thing with a lot of ##'s in it, the sample config file)?

My home partition was by accident formatted from ReiserFS (Suse 10.1) to Ext3 (same Suse, re-install). I had made a backup (I THOUHGT ) but the backup was gone after I wished to copy back my data ....

I have made an image of the home device and foremost found some of the data like pictures and old openoffice style documents I never made myself (sxw, sxi, etc.).
How can I make foremost finding documents in newer style like odt, ods, odp, odg, ot*?
Is there a possibility to restore the names to?

I have tried to restore the previous partition with reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb2 (hdb2 is my place of home), found at http://www.antrix.net/journal/techta...howto.comments, but without any luck.

Please instruct very carefully. I am a very n00b-y newbie.

Thnx 4 your help!


St. John
 
Old 05-30-2007, 07:15 AM   #6
SCerovec
Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware x86 and ARM and Porteus
Posts: 655

Original Poster
Rep: Reputation: 45
Unhappy Dear John (the TV serial ;-) )

First of all:
Work only on a copy of the image. Allways!

Quote:
Originally Posted by St.John
How can you edit the foremost.conf file (and where should I find it, is it the thing with a lot of ##'s in it, the sample config file)?
Sorry for Your loss. Really.
The foremost.conf file is expected to be found in /etc/. In the package it's located in the root-dir of it.
Quote:
My home partition was by accident formatted from ReiserFS (Suse 10.1) to Ext3 (same Suse, re-install). I had made a backup (I THOUHGT ) but the backup was gone after I wished to copy back my data ....
I had that a while a go, it's a mess ... :-(. Expect no ore than 35% of files back. Anything more is reason for joy ;-)
Quote:
I have made an image of the home device and foremost found some of the data like pictures and old openoffice style documents I never made myself (sxw, sxi, etc.).
How can I make foremost finding documents in newer style like odt, ods, odp, odg, ot*?
You need to make new lines in the .conf file with footer- and header- data so foremost can figure out the file-body.
1. Open at least two konown-good *.odt files with eg. khexedit and examine the begin and end of the files. Also consult the mime-magic found in /etc/file/* for the right pointers. Use wildcards as lesser that better...
2. The magic for odt files is with vnd.oasis ...
3. Make the lines in the /etc/foremost.conf
4. uncomment other lines describing desired file types
5. run foremost ...
Quote:
Is there a possibility to restore the names to?
There is no possibility to restore names via carving.
Quote:
I have tried to restore the previous partition with reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hdb2 (hdb2 is my place of home), found at http://www.antrix.net/journal/techta...howto.comments, but without any luck.
You have allways the option to turn to reiser's developer team for paid recovery.
The other option is to use scalpel. It's a fork of foremost at 0.69 release. It looks a bit more advanced.
Quote:
Please instruct very carefully. I am a very n00b-y newbie.
Thnx 4 your help!

St. John
The damage is done allready. Take Your time, rush no more, to recover as most as You can.
The thing to hope for is that your mot imoprtant files are not too fragmented. Carving restores sequential blocks, so fragmented files will get garbage in them. There is no chance a carver can distinguish the right from the wrong footer in a sequence of blocks.
Chances are there is some i-node information left on the volume. Try to salvage as much i-nodes as possible.
I wish You best luck.
 
Old 06-05-2007, 03:07 PM   #7
St.John
LQ Newbie
 
Registered: May 2007
Posts: 5

Rep: Reputation: 0
Hi SCerovec,

Sorry that I am late with responding but I am in a kind of a horror scene. Two people in the family are laying to death (how do you say that in correct English but you will understand me I think) and a friend of my had a bleeding in the brain so I am running from one hospital to another and I spend a lot of time with the partners of those that are in hospital to support them.

I will take a look at your advise and thank you for that!
I will let you know how it was going with my restoring adventure but if you don't see any respond of me just look a week later or something.
You will hear about me later.

Thanks for now, I am glad that I have some time now to put this message over here so you know that I will respond and I am still interested in your help and that I want to share mine restoring adventure.

Thanks and great Greetux,

John
 
Old 06-07-2007, 01:31 PM   #8
SCerovec
Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware x86 and ARM and Porteus
Posts: 655

Original Poster
Rep: Reputation: 45
Cool Sorry

Quote:
Originally Posted by St.John
Hi SCerovec,

Sorry that I am late with responding
...
Thanks and great Greetux,

John
I'm truly sorry for You circumstances, I wish I could help You if i could...

regarding the time for answers, just take your time buddy and take it easy. This is a forum, it can wait for months (not that it must...).

Anyhow I'm subscribed for this thread, so when You back, I'll be there. Just keep in mind, we are documenting a procedure for the whole community, not just us. ;-)
 
Old 09-04-2007, 05:16 AM   #9
St.John
LQ Newbie
 
Registered: May 2007
Posts: 5

Rep: Reputation: 0
--regarding the time for answers, just take your time buddy and take it easy.--


Thanks for your understanding answer.
I was afraid that I had left a bad reputation as a new comming newbie at this forum with responding that late! Anyway...

I have tried several times to restore the files and I looked at the beginning and the end of the file with khexedit but ods and odt files had the same beginning and ending! I could fill in more exe-code but I saw that that was different sometimes.
And what to fill in as maximum file size? I have tried a nice size, I thought (some number with several zero's ), but after scanning, the hard disk was too small to put all those files on!
And it where not the open office files.

What do you mean with "The magic for odt files is with vnd.oasis ..."?

Well, in the meanwhile we are some months later and mine administration is running very behind, so for now I give up.
I will keep the image for a while for if I have nothing to do better so I can try new advisement.

Live goes on, today I give it a restart with an installation of a newer distro version (nothing to loose now )!

Thanks for your answer(s)!

St. John
 
  


Reply

Tags
administration, ext2fs, filesystem, recovery


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
JavaScript:: alert(node) shows null, but node != null taylor_venable Programming 1 05-01-2006 10:51 PM
floppy mounting/formatting drama PLEASE help me thisismadness Linux - Newbie 2 02-29-2004 06:46 PM
OS X Experts?: Rendezvous Printing Drama General_Tso *BSD 0 02-11-2004 11:19 PM
compiling drama demmylls Linux - General 0 12-22-2003 04:35 PM
BogoMIPS drama rch Linux - General 5 04-24-2003 06:18 AM


All times are GMT -5. The time now is 07:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration