LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Help Recovering deleted data from SGI XFS file system (http://www.linuxquestions.org/questions/linux-newbie-8/help-recovering-deleted-data-from-sgi-xfs-file-system-932378/)

venceslau 03-02-2012 02:50 PM

Help Recovering deleted data from SGI XFS file system
 
Hi, I somehow wiped the /etc/group on my NAS drive and now all of my data has gone missing. Yeah, more than 1.5Tb of data...and all my backups are on this drive (very smart, I know..lol).

Edit: The /etc/group file is actually fine, I don't know how I thought it was deleted. I am now certain that the files were deleted (I have a feeling it was a typo involving "rm -rf"...).

The NAS is a Western Digital (WDH1NC20000N) and it runs BusyBox on Linux. In addition to that I have also installed a few optware packages.

The files missing seem to all have been owned by a group called jewab (WD's default group for NAS filesystem).

I am pretty new to unix/linux, but I am hoping that the fact the files are missing is related to having corrupted this permissions file (or wiping it).
Even when I get shell as root, I still can't see any files listed (even using "ls -a").

So, my question to you gurus out there is:

What now? Should I try and rebuild the /etc/group manually by cross referencing the /etc/passwd? Or is it more complicated than that?

Thanks in advance

Filipe

Skaperen 03-03-2012 12:17 AM

Please try booting from a live CD/DVD system, and mounting the affected filesystem(s) in READ/ONLY mode (use -r option on mount). This will be a system in which you can be looking at the files in the context of a working /etc/group (even if it is not the same) and other important files like /etc/passwd not being corrupted, and directory permissions in the running system being correct.

You may have more damage than just losing /etc/group (it may be a more obvious symptom of a larger problem). This may be preventing access to some directories, or there may be actual deleted files, or the filesystem itself may be corrupt.

As for getting a system back up and running, I recommend buying a whole new drive and replacing the old affected drive with the new drive, and installing a fresh new system. AFTER that install is done and the new system is working to your preferences, then add the old drive to the system as a 2nd drive. Be sure to only ever mount the new drive's partitions in READ/ONLY mode until you are 100% sure you have recovered everything you can (that could be a while if this is a corrupted filesystem).

Any attempt to run the broken system itself could add even more damage, depending on what all is wrong with it, and should be avoided.

venceslau 03-05-2012 10:08 PM

Quote:

Originally Posted by Skaperen (Post 4617319)
Please try booting from a live CD/DVD system, and mounting the affected filesystem(s) in READ/ONLY mode (use -r option on mount). This will be a system in which you can be looking at the files in the context of a working /etc/group (even if it is not the same) and other important files like /etc/passwd not being corrupted, and directory permissions in the running system being correct.

You may have more damage than just losing /etc/group (it may be a more obvious symptom of a larger problem). This may be preventing access to some directories, or there may be actual deleted files, or the filesystem itself may be corrupt.

As for getting a system back up and running, I recommend buying a whole new drive and replacing the old affected drive with the new drive, and installing a fresh new system. AFTER that install is done and the new system is working to your preferences, then add the old drive to the system as a 2nd drive. Be sure to only ever mount the new drive's partitions in READ/ONLY mode until you are 100% sure you have recovered everything you can (that could be a while if this is a corrupted filesystem).

Any attempt to run the broken system itself could add even more damage, depending on what all is wrong with it, and should be avoided.


I have updated the thread title to "...Recover Deleted Data from SGI XFS File System".

Skaperen, thank you for your reply and sorry for taking for ever to report back.
I tried taking the linux approach, but I just am not familiar enough with it to venture into the different commands without knowing exactly what they do (which is exactly what got me into this situation in the first place..lol). So I went with what I am most familiar with - Windows.

My NAS drive has 3 partitions, the first and second are both ext3 and are system partitions. Initially I thought the 3rd was corrupt, since r-studio wasn't detecting it's file system. I now know it is SGI XFS.
Initially I was scanning with r-studio and the 3rd partition wasn't being recognized (I thought maybe something was corrupt, so I just scanned it anyway). Using the "Extra Search for Known File Types" it was still able to find much of my data - but with no directory structure and no meaningful file names. Later on, I came to understand that it was simply due to the fact that r-studio didn't support XFS.

After some more digging around I found that Raise Data Recovery for XFS was a good contender for a successful recovery of directory stack along with filenames.
I installed the trial version and scanned my 1.8Tb partition (about 8 hours). This program was able to find the proper file names and even most directory stacks. I then decided to purchase the full version (about 28 CAD) and have since been successfully recovering most of my data.

Now, I now that the NAS is setup as RAID0 - I've seen it mentioned. Is scanning through this 3rd partition enough, or do I need to emulate RAID0 somehow? There is only one harddrive in this setup, which in turn has the 3 partitions as I've mentioned. The first and second partition have about 1gb each and the 3rd has the 1.8Tb of storage. So I would assume that everything that I need to successfully recover the data would be in the 3rd partition only...correct?

Thanks in advance,

Filipe


All times are GMT -5. The time now is 03:19 AM.