LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 03-02-2012, 01:50 PM   #1
venceslau
LQ Newbie
 
Registered: Mar 2012
Posts: 2

Rep: Reputation: Disabled
Unhappy Help Recovering deleted data from SGI XFS file system


Hi, I somehow wiped the /etc/group on my NAS drive and now all of my data has gone missing. Yeah, more than 1.5Tb of data...and all my backups are on this drive (very smart, I know..lol).

Edit: The /etc/group file is actually fine, I don't know how I thought it was deleted. I am now certain that the files were deleted (I have a feeling it was a typo involving "rm -rf"...).

The NAS is a Western Digital (WDH1NC20000N) and it runs BusyBox on Linux. In addition to that I have also installed a few optware packages.

The files missing seem to all have been owned by a group called jewab (WD's default group for NAS filesystem).

I am pretty new to unix/linux, but I am hoping that the fact the files are missing is related to having corrupted this permissions file (or wiping it).
Even when I get shell as root, I still can't see any files listed (even using "ls -a").

So, my question to you gurus out there is:

What now? Should I try and rebuild the /etc/group manually by cross referencing the /etc/passwd? Or is it more complicated than that?

Thanks in advance

Filipe

Last edited by venceslau; 03-05-2012 at 11:05 PM.
 
Old 03-02-2012, 11:17 PM   #2
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
Please try booting from a live CD/DVD system, and mounting the affected filesystem(s) in READ/ONLY mode (use -r option on mount). This will be a system in which you can be looking at the files in the context of a working /etc/group (even if it is not the same) and other important files like /etc/passwd not being corrupted, and directory permissions in the running system being correct.

You may have more damage than just losing /etc/group (it may be a more obvious symptom of a larger problem). This may be preventing access to some directories, or there may be actual deleted files, or the filesystem itself may be corrupt.

As for getting a system back up and running, I recommend buying a whole new drive and replacing the old affected drive with the new drive, and installing a fresh new system. AFTER that install is done and the new system is working to your preferences, then add the old drive to the system as a 2nd drive. Be sure to only ever mount the new drive's partitions in READ/ONLY mode until you are 100% sure you have recovered everything you can (that could be a while if this is a corrupted filesystem).

Any attempt to run the broken system itself could add even more damage, depending on what all is wrong with it, and should be avoided.
 
Old 03-05-2012, 09:08 PM   #3
venceslau
LQ Newbie
 
Registered: Mar 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Skaperen View Post
Please try booting from a live CD/DVD system, and mounting the affected filesystem(s) in READ/ONLY mode (use -r option on mount). This will be a system in which you can be looking at the files in the context of a working /etc/group (even if it is not the same) and other important files like /etc/passwd not being corrupted, and directory permissions in the running system being correct.

You may have more damage than just losing /etc/group (it may be a more obvious symptom of a larger problem). This may be preventing access to some directories, or there may be actual deleted files, or the filesystem itself may be corrupt.

As for getting a system back up and running, I recommend buying a whole new drive and replacing the old affected drive with the new drive, and installing a fresh new system. AFTER that install is done and the new system is working to your preferences, then add the old drive to the system as a 2nd drive. Be sure to only ever mount the new drive's partitions in READ/ONLY mode until you are 100% sure you have recovered everything you can (that could be a while if this is a corrupted filesystem).

Any attempt to run the broken system itself could add even more damage, depending on what all is wrong with it, and should be avoided.

I have updated the thread title to "...Recover Deleted Data from SGI XFS File System".

Skaperen, thank you for your reply and sorry for taking for ever to report back.
I tried taking the linux approach, but I just am not familiar enough with it to venture into the different commands without knowing exactly what they do (which is exactly what got me into this situation in the first place..lol). So I went with what I am most familiar with - Windows.

My NAS drive has 3 partitions, the first and second are both ext3 and are system partitions. Initially I thought the 3rd was corrupt, since r-studio wasn't detecting it's file system. I now know it is SGI XFS.
Initially I was scanning with r-studio and the 3rd partition wasn't being recognized (I thought maybe something was corrupt, so I just scanned it anyway). Using the "Extra Search for Known File Types" it was still able to find much of my data - but with no directory structure and no meaningful file names. Later on, I came to understand that it was simply due to the fact that r-studio didn't support XFS.

After some more digging around I found that Raise Data Recovery for XFS was a good contender for a successful recovery of directory stack along with filenames.
I installed the trial version and scanned my 1.8Tb partition (about 8 hours). This program was able to find the proper file names and even most directory stacks. I then decided to purchase the full version (about 28 CAD) and have since been successfully recovering most of my data.

Now, I now that the NAS is setup as RAID0 - I've seen it mentioned. Is scanning through this 3rd partition enough, or do I need to emulate RAID0 somehow? There is only one harddrive in this setup, which in turn has the 3 partitions as I've mentioned. The first and second partition have about 1gb each and the 3rd has the 1.8Tb of storage. So I would assume that everything that I need to successfully recover the data would be in the 3rd partition only...correct?

Thanks in advance,

Filipe
 
  


Reply

Tags
deleted, nas, recovery, xfs


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
All files wiped in /tmp & permissions changed FTJSmit Linux - Server 2 01-16-2012 02:12 PM
Files being wiped after theyre modified. onesikgypo Linux - Newbie 2 09-28-2009 03:37 AM
Possible hacking; wiped - now hard drive space missing? - hidden files? trekk Linux - Security 9 11-10-2006 10:17 AM
wiped out lots of files :( skull_crusher Linux - Newbie 0 04-10-2003 04:10 AM
Missing aquota. group and aquota.user files nam Linux - General 2 11-05-2002 04:28 PM


All times are GMT -5. The time now is 03:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration