LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Hardware (https://www.linuxquestions.org/questions/linux-hardware-18/)
-   -   Restore partition table on external drive? (https://www.linuxquestions.org/questions/linux-hardware-18/restore-partition-table-on-external-drive-4175467887/)

Wocky 06-30-2013 04:51 AM
Restore partition table on external drive?
 
I've got a 1TB Seagate external drive (model 9sd2a6-500 if it matters) which had a single partition on it (the partitioning hadn't been changed from purchase). I'd used truecrypt (www.truecrypt.org) to encrypt the entire disk. a few days ago I plugged it into a Windows box, which decided that it should be repartitioned, and deleted the partition. I unplugged it before any more damage was done (so no more formatting had been started), but the disk now shows no partitions at all. I tried testdisk (http://www.cgsecurity.org/wiki/TestDisk) on it, but it said it couldn't find any partitions (though that could have been because the disk was encrypted). I tried setting up a virtual disk with
$ dd if=/dev/zero of=disk.img bs=1024 count=1M
$ losetup /dev/loop4 disk.img
$ fdisk /dev/loop4
<create new partition, type 7 (HPFS/NTFS), that spans the entire file>
$ kpartx -a `pwd`/disk.img
$ truecrypt -c /dev/mapper/loop4p1
<create new truecrypt volume over entire file>
$
<mount file using truecrypt, then copy some files onto it, then umount it>
$ kpartx -d `pwd`/disk.img
$ fdisk /dev/loop4
<delete partition>
$ fdisk /dev/loop4
<create the same partition over the entire disk>
$ <try to mount truecrypt volume>
truecrypt: wrong password or not a truecrypt device

I bought a new 1TB Seagate drive (of a different type), mounted it, copied some stuff to it, umounted it, deleted the partition, recreated the partition, and tried to mount it again. It failed, with the message that there was no filesystem on it.

Any other suggestions? Have I lost my data?

Thanks

pingu 06-30-2013 05:27 AM
What were you doing with that "dd if=/dev/zero of=disk.img bs=1024 count=1M"?
Don't tell me that "disk.img" means your 1TB disk - if so you're lost.
But maybe that's just experimenting without touching real disk.

Different partition tools do different things.
* All Windows tools I know overwrites things like MFT, making recovery more difficult.
When Windows tools reformats a disk it actually writes stuff in more places than just the partition table.
(A small note here: I have not used any Windows tools after WinXP, things might have changed.)
* fdisk for Linux - NOT for Windows! - only changes the partition table. I don't know how other tools for Linux works. Go for fdisk, it seems you're already familiar with it.

I have tried this a lot. Created partitions, copy stuff to them, delete partitions using fdisk - all data lost.
Recreate partitions w fdisk - all data back.
Of course, you have to be careful. If you're really concerned abut your datat then take a backup of the disk with 'dd' or ''dd-rescue', or some other tools that makes a raw copy.
Then work on the copy! (Or even better, at least if you use dd/dd-rescue, take a copy of the copy so you have a copy left to copy from - dd is extremely slow.)

So my tip is:
Use fdisk in Linux, and recreate the partition. As there were only one it's pretty easy, just go for the defaults. (And delete any partition on it.)
If you're lucky it works. If not... hmm - let's think about that!

jefro 06-30-2013 03:50 PM
Wonder if you could use ranish to guess the old partition. Ultimate boot cd has it I think.

pingu 06-30-2013 05:18 PM
Reading OP's post again I think I knocked in open doors.
What you actually were doing was creating fake partitions to see if deleting & recreating partitions with fdisk worked, right?
Obviously it didn't, this must mean that Truecrypt actually fiddles with the bytes in the partition table??

I don't know exactly how encryption works, the bits & bytes behind it, so I'm basically guessing here.
This is the thing:
The partition table is located in mbr.
mbr=the first 512 bytes of the disk.
The partition table resists on 446-510. fdisk *only* makes changes in these 64 bytes. I have tried that, several times - but never using encryption.
Truecrypt can't read the recreated partition. Why, beats me. My 2 cents:
* Maybe the partition has the wrong type? NTFS is type '7', Linux swap='82', ext3='83' and so on.
Maybe Truecrypt has it's own type?
* Maybe Truecrypt puts some extra code in the partition table - this should not be possible as there simply is no room for it.

As long as nobody who really *knows* about this stuff answers, here's what I would do:
Create a new fake disk with one partition, encrypt it.
Check the file system type. Also dump the mbr of this disk ("dd if=/dev/loop4 of=<encrypteddisk_mbr> bs=1 count=512)
Then create a second fake disk with one partition, but don't encrypt it.
Check the file system type, and again dump the mbr of this disk ("dd if=/dev/loop5 of=<nocryptdisk_mbr> bs=1 count=512)
Compare partition table & mbr from these 2 disks.

pingu 06-30-2013 05:27 PM
Quote:
Originally Posted by jefro (Post 4981318)
Wonder if you could use ranish to guess the old partition. Ultimate boot cd has it I think.
Sounds like an interresting tool!
Do you know how it works, that is does it alter anything else than the partition table like superblocks etc?
And I'm going to check XOSL as I don't like grub2, desperately looking for a substitution!

pingu 06-30-2013 05:34 PM
One important thing: I've just assumed your 1TB disk was formatted "old school" - DOS type.
Is that correct, or is it the new GPT?


All times are GMT -5. The time now is 06:28 AM.