I mistakenly ran
dd if=/dev/zero of=/dev/sda7
instead of
dd if=/dev/zero of=/dev/hda7

hda is my laptop's hard drive
sda is my external hard disk, to which I had moved ALL of my files in order to clean up the laptop's hard disk

when I realized the laptop's hard disk wasn't working too much i realized my mistake, went Ctrl-C, Ctrl-Z then kept the power button pushed down until power off...

What do I do now? Is there any files left of about 80 GB?? Can it be recovered?

Please help... I can't keep my eyes open right now (it's 2AM here). Hope someone helps me!

<<desperate>>

You have very little chance of recovering anything useful out of what was overwritten. What you did is exactly how you would permanently delete something if you didn't want anyone to be able to recover it.

If it really only ran for a few seconds than obviously it didn't zero out the entire 80 GB. But certainly whatever was in the beginning of that partition is wiped clean.

You wouldn't happen to work for the NSA do you? That could help... What's the filesystem type?

If you are only interested in file recovery, try PhotoRec - despite the name does more than just photos.
Else you might be in for a long nights with forensic software - foremost is generally recommended, but search here on LQ for "forensic" - you'll find plenty of hits.

The filesystem type was ext3.
The problem is... I was planning to do a backup on DVDs.
I was collecting everything I had and putting it on my external HD, to be burned immediately.
But I didn't have enough space on my laptop hard disk to save the temporary K3B image files.
So I also moved everything I had on my laptop to the external hard disk.

Then, I wanted to completely erase the partition on my laptop, and format it with ext2.

How can I recover what remains (hopefully) on the hard disk?
I know I probably won't recover what was overwritten with zeros...
but how can I get back the rest?

The partition table will have been wiped, so you'll want to look for data recovery software that can search for files without partition information. I'm afraid I don't know any but a search should turn up quite a few.

If you've got some free space somewhere, make an image of your external and do data recovery on that - then you still have the original if something goes wrong a second time (although if you're making an image with dd, there's a risk of typos again - your call).

As I understand the ext* filesystems, a directory is simply a file containing a list of pointers to other files. If you're lucky, the root directory might still be on there, although I guess it was probably near the beginning of the partition. It is possible to grep a drive with
but I'm not sure if there's a pattern you could use to look for a directory signature. Proper data recovery software is a far better way to go, but that kind of low-level stuff might help as a last resort.

A couple of tips for using dd in the future, don't want to rub salt in the wound and I know it doesn't help you right now, but might still be useful to think about:

• Start your command with a '#' so it's actually a comment, and re-read it twice before deleting the '#' and hitting enter. That way if you're in the habit of just hitting enter as soon as you reach the end of the line, you might get the chance to catch a mistake.
• If you're using dd for the same sort of things a lot, put the commands in a script, so you just have to get them right once then forget about them. Or in a case like this, you could set the variables $EXTERNAL_HDD=sda, $LAPTOP_HDD=hda, so they look very different and you're less likely to make a typo.

Ironically, on my desktop computer
sda is the internal hard disk
sdb is the external hard disk

on the laptop
hda is the internal hard disk
sda is the external hard disk

sighhhhh......

Is there any reliable society/individual
(apart from the NSA)
that knows his business
and can help me out for $$$?
(I hope I can ask this kind of things here,
if not please message me privately)


I'm just not in the state of mind
to do that myself right now
(plus, all of my notes
and software were in the damaged drive,
so I'm really sitting on nothing....)

P.S. And, even if I was all right and
excited, I'm not that good to be able
to do that...

Whatever you do, before doing it you should use dd (be careful now) to backup the whole drive to a file, and do it on that image instead of the real drive.

If it's ext3 you could try to replace the superblock with a copy. Ext3 stores many copies of the superblock around the disk, so you can try to recover a copy of the supeblock.

http://blog.edseek.com/archives/2004...lock-recovery/

Note that even if this succeeds, there's no guarantee that you will be able to recover anything at all.

Physically, it's possible to recover the data but only with very specialized hardware. That's because when you set all bytes to a logical zero, the real physical value is not exactly zero, and depends on the previous value, that's also why using /dev/random as input file is considered more secure than using /dev/zero, when you really want to take rid of the data. No idea about the economic cost of that at all.

There are plenty of companies you could try:
http://www.google.com/search?q=data+...utf-8&oe=utf-8

On my system dd copies about 230 MB in to an internal ext3 hdd in 3 seconds, so if you hit ctrl-C quick enough most of your data should still be there:

You could try TestDisk, which used to be found in the SystemRescueCD LiveCD (I did not check it still is).

Yves.

Edit: I just checked: TestDisk is on the CD. And PhotoRec is too.

Then there should be a lot of data still there...
But how comes nothing seemed to stop when I hit Ctrl-C??
I had to keep down the power button for 4-5 seconds to stop it!!


That sounds really good, SPARE superblocks around the disk.
But how do I do that? Or (I know this is not the attitude here,
but I'm feeling a bit lost) how do I find someone to do that
for me?

I'm not planning to do hardware recovery (especially if that will cost me thousands of $), but recovering the un-zeroed part seems feasible, right?

Yes, I know, Google is my friend... but how can I decide if I can trust a certain company?
The big ones (e.g. "Guidance Software") seem to do just trillion$ business...

When I formatted the disk I didn't use any exotic option.
So I understand there should be 5% space reserved for _something_ (superblock? i didn't understand very much...)
Someone here talked about several copies of the superblock...
where is this superblock placed?
If there are two copies of it, they should be around 2.5% each, right?
to erase that on my 80GB partition would take
more than 4 minutes at 8MB/s
and around 26 seconds at 76 MB/s

(my external hard disk would not erase any faster than my internal hard disk, would it?
my internal hard disk erased at 8MB/s... ps I know I should test it myself... I'll do that on another partition as soon as I have backed up the data...).
I would avoid to use recovery software if I could just repair this superblock...

Have you looked at Testdisk (previously recommended)? I seem to recall that it can find superblocks.

Some file system tools will not work unless you can see the partition.

I don't think file recovery is any riskier than attempting to recover the superblock or the partition table.......If you have really valuable data, then just get the drive to a data recovery specialist.

Sorry, I misread your earlier post and forgot that it was a partition you zeroed and not the entire disk. If you read the earlier version of this post, please ignore it.

Since the partition table is intact for /dev/hda, you can use losetup to attach a device there. So it's possible to create an image of just the device.

That's space reserved for the superuser, which has nothing to do with the superblock.

That was me. And I also provided a link explaining the procedure.

Basically, what the guy in that link does is the following:

1. find the size of the affected volume
2. create a volume of the same size in a loopback file, you need empty space to do this
3. note down on a paper the places where a copy of the superblock was stored, since the affected volume is of the same size, the backups of its superblock should be on the same locations, in the example in that link you can see that there are backups of the superblock into 8193, 24577, 40961, 57345 and 73729
4. now run fsck on the affected volume and try to recover the last copy of the superblock (it's usually the last that will be overwritten by your evil dd command, that's why

If fsck can find a valid superblock you have a good chance to be able to recover part of the files that lived on your volume. It might even be able to restore your fs to a living state, however what's zeroed, it's zeroed. No one can do anything about that, except for the enterprises specialized in info recovery as we said before.

PS: Just for future reference, note that this is the reason why it's a very good thing to save a note on your drawer with the locations of the backups of your superblocks, each time that you mkfs a new filesystem.

Another PS: I am no specialist, and I said this before but repeat it now: if you really value your data, use dd to make a copy of the drive and operate on that, and not on the original drive.